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P 


RO. C BE ED 


NGS 


THE COURT: 


MR. FRANK: 


THE CLERK: 


interpreters are still 


The jury is 


Yes. 


all ready here. Is your agent 


You can take the stand, and then the 


THE COURT: 


Yes. 


You're up at bat, right? 


MR. FRANK: 


THE COURT: 


THE CLERK: 


Max, 


Yes, I am. 


under oath? 


Knock on the door, Maryellen. 


have to make sure his headphones are 


put him on 28 on the back side of it. 


(Discussion 


re) the record.) 


THE COURT: 


that a sketch artist 


familiar with that. 


tomorrow or the next 


‘ERN 


CH: 


THE COURT: 


By the way, 
may be comin 
So a sketch 


day or whate 


I'm glad I 


Yes, but you've got to turn and | 


for them to see the purple -- 


(Laughter. ) 


MR. 


F 


KERN 


CH: 


THE COURT: 


T'll handl 


Very, very, 


let's let this jury in. 


Maryellen got a phone call 


g. I don't know if anyone 
artist may be arriving 
ver. 


wore this fancy shirt and 


e that part of it. 


very stylish. So, all right, 
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i THE CLERK: All rise for the jury. 


2 (Jury enters the courtroom.) 
3 THE COURT: Good morning to everyone. 


4 THE JURY: Good morning. 


5 THE COURT: Once again, you're the most amazing jury 


6 ever. You're all showing up on time, and I know the weather is 
7 cold, et cetera, and so —- not as bad as it was on Friday, but 


8 nonetheless. 


9 Someone asked me about the trial and what to expect in 


09:12 10 terms of timing. We're right on track, let me start there; if 


‘lal anything, a little on the earlier side. So there's no way it's 


12 going to go beyond, you know, the long weekend. I'm hoping 


13 actually that it could possibly finish, in terms of the 


14 evidence, end of week, beginning of next. On the day or days 


15 you're out deliberating and closings, et cetera, I'll ask you 


16 probably to stay till 4:00 o'clock, so please sort of be 


17 flexible towards the end of the week, beginning of next as to 


18 when that is. 


19 How long the trial takes is ultimately up to you for 


09:13 20 as long as it takes to deliberate. So somebody asked for that. 


21 I think someone had a doctor's appointment. And unfortunately 


22 Monday is, like, right on -- I don't know what Monday is going 


23 to look like. 


24 Anyway, I think that's all we need. Did anyone talk 


25 about the case, see anything in the newspaper, social media? 


09:14 10 


09:14 20 


21 


22 
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find the jury has 


complied. 


Let's move on. We're going to 


EMTSEV: Recross. 


COURT: Okay, and then on 


CLERK: Sir, you're still 


WITNESS: Yes, ma'am. 


CLERK: Thank you. 


finish on the recross? 


to the next witness. 


under oath. 


DAVID HITCHCOCK 


having been previously duly sworn, was 
further as follows: 


THE COURT: You have notebooks 


MR. NEMTSEV: May I proceed, y 


THE COURT: Absolutely. Go ah 


examined and testified 


2? Everyone ready? 
our Honor? 


ead. 


[NUED RECROSS-EXAMINATION BY MR. NE 


MTSEV: 


Good morning, Special Agent Hitche 
Good morning. 
You testified on redirect that Sta 


retention policy is three years, correc 


A. In certain aspects, it was represe 


Q. And so did the government and FBI 


from Micfo directly? 


23 


24 


25 


A. Could you repeat the question, ple 


ock. 


ckPath's document 
t? 
nted that way, yes. 


agents obtain invoices 


ase. 


Q. Did you obtain any invoices direct 


from other government agents? 


ly from Micfo that came 
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1 A. 


2 Q. And you would agree that those government agents obtained 


3 them as part of Micfo's criminal case? 

4 MR. FRANK: Objection, your Honor. 
5 COURT: Overruled. 

6 A. 


7 Q. And you would agree that they obtained those invoices 


8 close in time to the indictment of Micfo? 


9 : I don't know. 


09:15 10 : You would agree that they obtained them prior or at the 


11 of Micfo's indictment, correct? 


12 : That's my understanding. 


13 : And Micfo was indicted in the spring of 2019, correct? 


14 : I don't know the timing, sir. 


15 : Micfo was indicted after December of 2018, correct? 


16 : [ lieve that's correct. 


17 : if I represent to you that Micfo was indicted in the 


18 spring of 201 


19 MR. FRANK: Objection. 
09:15 20 THE COURT: Sustained. He said he didn't know. 


21 Q. And isn't it a fact, sir, that you did not look at any 


22 additional invoices relating to the 104.238 IP address from the 


23 production that Micfo sent directly? 


24 A. I believe that's correct, yes. 


25 Q. You testified on redirect that the Wan Connie account used 
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al the inbox.lv address; is that correct? 
Z A. Yes. 
3 THE COURT: Wait a minute. Slow down again so we 


4 remember. What's the Wan Connie account? 


5 THE WITNESS: This was one of the accounts obtained in 


6 the course of the investigation. It was a Namecheap account. 


7 Q. And isn't it a fact, sir, that the Wan Connie email 


8 address doesn't fit the labeling that you described on the 


9 other Namecheap accounts related to the intrusions or potential 


09:16 10 intrusions into Toppan Merrill servers? 


Li A. It was very Similar. It was first, last, and three 


12 letters instead of two at inbox.lv. 


13 Q. But it was not the same, correct, sir? 


14 A. It was very similar, yes. 


15 THE COURT: Slow down because we don't know this as -—- 


16 so Say it again. It was the first -- 


17 THE WITNESS: Oh, first as in first name, last as in 


18 last name of the subscriber, three letters instead of two at 


19 inbox.lv. And by three -- I think I said three letters. 


09:17 20 neant three numbers, so wanconnie90@inbox.I1lv. 
21 Q. And, to your knowledge, anyone can create an account 


22 within the inbox.lv; is that correct? 


23 A. That's my understanding. It's just open to the general 


24| public. 


25 Q. And isn't it a fact, sir, that the Wan Connie account did 


09:18 10 


09:19 20 


21 


22 


23 


24 


25 
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not purchase 


any of the domains that were located on Toppan 


Merrill servers? 


A. That's correct. 


Q. And, sir, do you deny that Special Agent Kang reviewed the 


M-13 website 


MR. 


prior to Mr. Klyushin's arrest? 


FRANK: Objection as to what Special Agent Kang 


COURT: Sustained. 


MR. 


THE 


THE 


NEMTSEV: Nothing further, your Honor. 


COURT: Okay, thank you. You may step down. 


WITNESS: Thank you. 


(Witness excused.) 


MR. 


having been 


follows: 


THE 


FRANK: The government calls Jacob Wall. 


JACOB WALL 


first duly sworn, was examined and testified as 


CLERK: You can be seated. Could you please state 


and spell your last name for the record. 


THE 


WITNESS: Wall, W-a-l-l. 


IRECT EXAM 


NATION BY MR. FRANK: 


Q. Good morning, Mr. Wall. Could you just pull that mic up 


close. Are you currently employed? 


A. Yes, 


THI 


No. We can't hear a word you're saying. 


THE 


Yes, I am. 


Case 1:21-cr-10104-PBS Document 215 Filed 02/21/23 Page 10 of 167 


i THE COURT: All right, let's practice. What's your 
2 full name? 


3 THE WITNESS: Jacob Wall. 


4 THE COURT: All right, you hear your voice catch? So 
5 we all need to hear you. Okay, great. Thank you. 


6 Q. Where do you work, Mr. Wall? 


i A. I'm a pilot for a private charter company out in ] 


8 called ATI Jet. 


9 : And is that what you were doing in 2018? 


09:19 10 : No. I worked for StackPath back then. 


11 Q. Can you just speak a little louder and a little more 


12 slowly, please. 


13 A. I worked at StackPath back then. 


14 QO. What was StackPath? 


15 A. StackPath was a business that had a business-to-business 


16 component as well as business-to-consumers side, and I worked 


1] on the business-to-consumers side VPN services. 


18 : It provided VPN services? 


19 Yes. 


09:20 20 : Did StackPath have any subsidiary or related companies? 
21 : Yes. They had quite a few. 


22 ‘ Could you tell me what some of those were. 


23 : TPVanish, StrongVPN, and Encrypt.me. 
24 THE COURT: You know what, we have to get them down. 


25 So we have —-- all right, so slow down. All right, we don't 
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ac know these names. Some of them we've heard; some of them we 


2 haven't. So slow down. So what did StackPath have? Was it 


3 affiliated businesses? Was that the way you -- how did you 
4 word it? Why don't you —-- 


5 MR. FRANK: Subsidiary or related businesses. 


6 A. So some of the subsidiaries were IPVanish, StrongVPN, and 


i Encrypt .Me. 


8 THE COURT: What was that last one? 


9 THE WITNESS: Encrypt period me, so Encrypt.me. 


Filiated business called Mudhook 


09:20 10 Q. And was there also ana 
11 Marketing? 
12 A. Yes. Mudhook Marketing was the legal entity that owns 


13 TPVanish. 


14 : And those other entities were VPN providers? 
15 : Yes. 


16 ‘ How long did you work at StackPath? 


17 : I started in July of 2016, and Ziff Davis acquired them in 


18 April of 2019. 


19 : Ziff Davis acquired them in April of 2019? 


09:21 20 


21 : large publicly traded company? 


22 


23 ; What were you doing for StackPath in 2018? 


24 : I was the director of business operations, so I focused on 


25 | expansion, understanding how we could better improve the 
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service for our customers, and had my hands ina lot of 


fferent areas there. 


09:22 10 


09:22 20 


21 


22 


23 


24 


25 


How far did you go in school, sir? 


got my bachelor's degree. 


In what? 


General business from SMU. 


Directing your attention to late 2017, early 2018, did 


there come a time when StackPath decided to enter the Boston 


Market? 


A. 


Q. 


A. 


Yess 


Why did you want to be in Boston? 


So 2017 was the year where there was a ton of growth 


within that business, so I had made a goal to be within 250 


miles of any of our users and customers in the United States, 


so we expanded to multiple cities. The idea behind it is that 


the service is better the closer you are to the end user. 


Q. 


Why is the Internet service better the closer you are to 


the end user? 


Ao 


Internet and you have to go 


So there is latency, so if you're trying to connect to the 


£ 


from, say, Boston to Dallas to go 


back to Boston, that roundtrip time makes a not as good user 


experience. 


Q. 


A. 


So you wanted to be in Boston to provide better, faster 


Internet service to your clients? 


Yes. 
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al Q. As part of that effort, did there come a time when you 


2 leased a set of IP addresses from a company called Web2Objects? 


4 : What is Web2Ob jects? 


5 : They owned a lot of IP addresses that we leased from them 


6 in a variety of states in the U.S. and countries abroad. 


7 Q. Why did you lease the addresses from Web2Objects as 
8 opposed of buying them? 


9 A. So the idea behind leasing was that it would save us money 


09:23 10 in the short term because they were quite expensive to purchase 
11 outright. 


12 O% Were IP addresses limited at that time? 


13 A. Yes. At that point, all of the IP addresses had been 


14 allocated, so you had to purchase them on the secondary market. 


LS Q. And so you leased them from Web2Objects? 


Ly MR. FRANK: Could we have Exhibit 145 in evidence, 


19 : . Wall, do you see this letter of authorization from 


09:23 20 Web20bjects to a company called Micfo? 
21 A. 


22 Ob What is a letter of authorization? 


23 A. A letter of authorization is a form that the owner of the 


24 IP addresses makes which allows us to announce them, to make 


25 them accessible on the Internet. 
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1 Q. Announcing an Internet address makes it accessible on the 


2 Internet? 


4 ‘ What is Micfo? 


5 : icfo was a provider that we used to get servers in 


6 Internet transit from —-- out to multiple cities in the U.S. 


7 THE COURT: Slow down. What is it? 


8 THE WITNESS: A company that we rented servers from. 


9 Q. And you said you rented servers from Micfo in multiple 


09:24 10 cities in the United States? 
Ad. A. Yes. 


12 Q. And at this time, May 2018, had you been using Micfo for 


13 those types of services? 
14 A. Yes, we had. 


15 Q. Okay. And what was your experience with Micfo? 


16 A. Very good. They had a bunch of locations that were harder 


17 for us to acquire. They were unique, in that they picked 


18 cities that there wasn't a lot of competition in in order to, 


19 you know, be the player out there. 


09:24 20 THE REPORTER: Please repeat the last part. 


21 THE WITNESS: Oh. In order to be competitive in that 


22 
23 THE COURT: You drop the end of your sentences, which 


24 is why we're not catching the end. 


25 THE WITNESS: Okay. Can you restate that question, 
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ac and then I'll -- 


2 Q. I'll move on to the next question. Thank you. 


3 letter we see references to a 104.238.37.0/24 block of 


4 addresses? 


5 A. 


6 Q. And so am I correct in understanding that there are 


7 numerous individual IP addresses within that block? 


8 : Correct, and the slash 24 was 255 IPs. 


9 ‘ And they all began with 104.238.37? 


09:25 10 : Yes. 


11 . Okay. And those were assigned to Boston? 
12 : Yes. 


13 : And then you have other IP addresses, 104.238.38 for 


14 Cleveland, 45.56.172 for Denver, and so on and so on in cities 


15 including Milwaukee, Nashville, Salt Lake, and St. Louis? 


16 : Yes. 
17 : And you used Micfo to provide those services to you? 


18 : Correct. 


19 : Now, this letter of authorization -—- by the way, did you 


09:26 20 receive this letter of authorization? 
21 A. Yes. 


22 Q. And the letter is dated May 30th of Do you see 


23 that? 


24 A. I do. 


25 Q. What was your practice when you received a letter of 
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ac authorization like this? 


2 A. We would immediately provide it -- or I would immediately 


3 provide it to, in this case, Micfo. 


4 QO. I want to ask you a question about a company called 
5 Cogent. What is Cogent? 


6 A. Cogent is what is called a tier one network, so they have 


7 access to everyone on the Internet. So they're a company not 


8 many people know but is the backbone to the Internet. 


9 : It's the backbone to the Internet? 


09:27 10 : One of three, yes. 


11 : So it's like a pipeline for Internet traf 


12 : Yes. 


£ 


13 : Okay. And when you rented servers from Micfo in Boston, 


14 do you have an understanding of who the Internet service 


15 backbone provider was for the Boston datacenter? 


16 A. Yes, Cogent. 


S 


17 Q. Given this letter of authorization, was Cogent authorized 


18 to direct Internet traffic for the 104.238.37 block of IP 


19 addresses anywhere other than Boston? 


09:27 20 : No. Just Boston. 


21 : testified that you provided this letter of 


22 tion to Micfo right away. 
23 


24 . Why? 


25 . It was standard practice. There's a lot of cost involved 
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1 in renting these IP addresses and the associated servers, so 
2 was in our best interest to get things up and running as 
3 quickly as possible. 


4 : f May 30, 2018? 


6 MR. FRANK: Could we have Exhibit 140, please. 


. : Mr. Wall, this is Exhibit 140 in evidence. Do you 
8 recognize it? 
9 A. Yes. 

09:28 10 ; What is it? 


11 : It's an invoice saying that it was paid to Micfo. 


12 : In your work at StackPath, did you typically receive 


13 invoices like this one from Micfo? 


15 : And did you pay them? 


17 : Could we look at Page 5, please. This one says "unpaid," 


18 but the jury has seen bank records showing that it was in 


19 fact —- 


09:28 20 THE COURT: Do you recognize that "unpaid"? 
21 your logo? 


22 THE WITNESS: No. So that -- are you asking about the 


23 icfo logo? 


24 THE COURT: No. The red flag that says "unpaid," do 


25 you know what that is? 
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1 THE WITNESS: So let me explain how that works. So 


2 these providers will send us an invoice that's marked "unpaid." 


3 Once we pay it, we receive a paid version of that same exact 
4 invoice. 


5 THE COURT: I see. So that's Micfo's flag, not yours? 


6 THE WITNESS: Correct. 


7 : And you paid these invoices, correct? 
8 : Yes: 


9 : And this invoice is dated November 24, 2018, covering the 


09:29 10 period beginning in December, and you can see that it reflects 


11 the 104.238.37 block of IP addresses we were just looking at on 


12 the letter of authorization? 


13 : Yes. 


14 : The let F authorization was dated May 30? 


15 : Correct. 


16 ‘ Was it your practice to wait six months to get the 
Af address up and running? 


18 A. No. 


19 Q. Did you attempt to locate earlier invoices for that block 


09:29 20 IP addresses, the 104.238.37 block? 


21 F Yes. 


22 ‘ Have you been able to find them? 


23 : I have not. 


24 ‘ Did you in fact start using that 104.238.37 block of 


25 addresses -- 
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i MR. NEMTSEV: Objection. 


2 THE COURT: I haven't heard the end of the question. 


i) Q. Did you in fact start using that 104.238.37 block of IP 


4 addresses in Boston prior to November, 2018? 


5 MR. NEMTSEV: Objection. 


6 THE COURT: Overruled. 


7 : Yes, we did. 


8 : And did you pay for it prior to November of 


9 : Yes. 


09:30 10 . Where was that IP address located? 


11 Boston. 
12 ‘ How do you know that? 
13 : We would have been getting complaints from customers, so 


14 if you're in Boston and it wasn't there, we would see where th 


15 user experience wasn't good and someone would have complained. 


16 I never saw anything of that sort. 


17 THE COURT: So back up. You were getting complaints 


18 from customers about what? 


19 THE WITNESS: So using that example of why we care to 


09:31 20 be in cities like Nashville and all that, if you were to be in 


21 Boston and had to go to Dallas to access the Internet and back, 


22 it would have been a subpar experience online, so you would 


23 have seen buffering on videos, stuff of that nature. I never 


24 saw reports of that. 


25 Q. So you never got complaints about that? 
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1 : No. I never saw anything. 


2 Q. And in fact, in all your work with Micfo in all these data 


3 centers, did you ever have any concerns that the Internet 


4 addresses you directed to be placed in those centers were where 


5 they said they were? 


6 MR. NEMTSEV: Objection. 


a THE COURT: Overruled. Did you ever get any 


8 complaints, period, from anyone? 


9 THE WITNESS: As far as what the experience was like? 
09:31 10 THE COURT: From any Boston customers? 


11 THE WITNESS: No. 


12 Q. Did you ever have any concerns that the IP addresses that 


13 Micfo told you were located where they were were elsewhere? 


14 A. I never had any concerns, no. 


15 MR. FRANK: No further questions. 


16 CROSS-EXAMINATION BY MR. NEMTSEV: 


LS) ©. Good morning, Mr. Wall. My name is Max Nemtsev, and I 


18 represent the defendant, Mr. Klyushin, in this case. You and I 


19 have never met before, correct, sir? 


09:32 20 3 We have never met, no. 


21 : And you and I have never spoken bei is that correct? 
22 : We have not. 

23 ; You have spoken with Mr. Frank and Special Agent Hitchcock, 
24 correct? 


25 A. Yes. 
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al : Most recently on January 13, 2023; is that correct? 


2 ‘ No. We met last night. 

3 Q. You met last night? And prior to that you met at least on 
4 two other occasions; is that correct? 

5 A. 

6 Q. And you are accompanied by your attorney here, 


7 Ms. Walters; is that correct? 


8 A. I am accompanied by her, yes. 


9 Q. Are you ware, sir, that I requested to speak with you 


09:33 10 through your attorney? 


11 - I am not aware of that, no. 
12 ‘ That message was never conveyed to you, sir? 


13 : It was not made aware to me, no. 


14 . In the 2019 time frame, you worked for StackPath, correct? 


15 : Yes. 


16 : And StackPath was sold, you testified, in March ot 


Ly is that correct? 


18 A. I thought the date was April, but, yes, it was early 2019 


19 when Ziff Davis acquired them. 


09:33 20 Q. And StackPath leased, you testified -—- well, you testified 


21 that StackPath leased the 104.238 block of IPs from Web2Objects; 


22 is that correct? 


23 A. 


24 Q. And you needed to lease because ARIN, the Internet 


25 registry, ran out of IP blocks to assign; is that correct? 
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1 : They were all allocated, yes. 


2 Q. You would agree that there's significantly more demand for 


3 IP addresses than their availability? 
4 A. Yes. 


5 O- And would you agree that that requires certain customers 


6 to share IP addresses? 


i A. What do you mean by share them? 


8 Q. Meaning you and I could potentially be sharing an 
9 that correct? 


09:34 10 A. We could, yes. 


11 OQ. IPs are portable? You can move them from one place to 


12 another at will; is that correct? 


13 A. 


14 Q. And you were in the business development section of 


15 StackPath; is that correct? 


16 : Business operations. 


17 : Business operations section? 


18 : Yes. 


19 : Did that include assembling servers, putting servers 


09:34 20 together? 


21 A. I had done that on occasion, but that was -—- the physical 


22 putting them together and racking them was not part of my 


23 day-to-day job description, no. 


24 Q. Your day to day was interacting with clients, dealing with 


25 customer service issues; is that correct? 
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1 A. Mostly around our growth plans, so what did we need to 


2 build to get out there, but I was not the worker that was 

3 necessarily accomplishing it. 

4 Q. And you would agree, sir, that StackPath itself did not 
5 own any servers that were located in Boston? 


6 A. Correct. 


. : You needed to lease the server from a company such as 


8 LCfoO, correct? 


9 : Correct. 


09:35 10 Q. And, sir, are you aware that Micfo was convicted of fraud 


11 that occurred between February of 2014 and the spring of 2019? 


12 A. Yes. 
13 Q. And that conviction does not, in your opinion, affect 
14 the -- strike that. Sir, isn't it a fact that you don't know 


15 what Micfo did with those IP addresses? 


16 A. Can you clarify what you mean by that? 


17 Q. You believe that Micfo took those IP addresses and placed 


18 them on their servers in Boston; is that correct? 


19 Ax I have no reason to believe that's not what they did. 


09:36 20 Q. But you don't know for a fact. You never checked the 


21 configurations. You never went to the Markley Center down in 


22 Boston to check whether those IPs were located on the server 


23 that Micfo said they were located on; is that correct? 
24 A. Correct. 


25 Q. And who is Justin Boccio? 
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1. A. Justin Boccio is a systems administrator. 


2 O.. And he is the individual that's tasked with placing 
3 certain servers; is that correct? 


4 A. Correct. He would have been the one that would have 


5 deployed the software on the server itself. 


6 Q. And are you aware that Mr. Boccio told the FBI 
7 adldn tt <= 
8 MR. FRANK: Objection. 


9 THE COURT: Sustained. 


09:36 10 : You testified about ARIN, correct? 


11 : I said who they were, yeah. 


12 : Can we pull up Exhibit 176. 


13 THE CLERK: I switched. 


14 MR. NEMTSEV: Thank you, Maryellen. 


15 THE CLERK: You're welcome. 


16 Q. Does this appear to be a registration record for the 


17 104.238 IP addresses for the time period between May 18, 2018 


18 and September 30, 2020? 


09:37 20 ‘ Could we please turn to Page 2. 


21 . NEMTSEV: Ms. Lewis, could you please assist? 


22 THE CLERK: Do you want me to switch over? 


23 MR. NEMTSEV: Yes, please. 


24 THE CLERK: Okay, not a problem. Hold on. Okay. 


25 : And this is Page 2 of the same record, and it says that 
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A Web20b jects reassigned 104.238 -- I just lost my -- reassigned 


2 104.238 to the filing organization, and it lists "Strong 
3 Technology LLC." Do you see that? 


4 A. Yes. 


5 Q. And Strong Technology LLC is one of the companies that you 


6 testified to was a subsidiary of StackPath; is that correct? 
7 A. That is correct. 


8 Q. And specifically Strong Technology operated the VPN, 


9 StrongVPN; is that correct? 


09:38 10 A. So IP addresses, even if they were assigned to Strong 


11 Technology, could in theory been used by any of the subsidiaries. 


12 Q. Well, in this instance, this IP address, this IP range was 


13 specifically assigned and designated to the Strong Technology 
14 LLC company, correct? 


iS) A. The LLC, yes. 


16 Q. And StrongVPN, to your knowledge, never offered an 
17 server or a server in Boston, correct? 


18 A. Strong had servers in Boston, yes. 


19 Q. As part of your operation of StrongVPN, IPVanish, and 


09:39 20 other companies, you have websites, correct? 
21 : Yes. 
22 : And those websites have status pages, do they not? 
23 : They do. 
24 : And on those status pages, you show which servers are 


25 available at what time; is that correct? 


09:39 10 


09:40 20 


21 


22 


23 


24 


25 


Case 1:21-cr-10104-PBS Document 215 Filed 02/21/23 Page 26 of 167 


A. I think the only one that had automated status pages in 


the account portal was IPVanish. The rest of them, I could be 


mistaken, but I don't believe that they did. 


O.. Well, would you agree that it's important to update the 


status pages in order to give your clients accurate information 


as to what servers were available and which ones were not? 


A. Yes, I would believe that it would be important to put an 


emphasis on that, yes. 
Q. So you would imagine that -- or do you believe that the 
status pages for StrongVPN are accurate? 


A. We -—- I don't know back at that time. 


O. You worked for StackPath back at that time, correct? 


Sy 


I did. Strong was not a brand that we focused much on. 


flagship brand was IPVanish. 


And you were consumer-facing, correct? 

Yes. 

You dealt with customers and their complaints, correct? 

Yes. 

Did you ever hear a customer tell you that what was 
located on the StrongVPN page in terms of servers and status 
was inaccurate? 


A. Inaccurate in what sense? 


Q. In the sense that some certain servers were unavailable, 


other servers were available, but not on the list. 


A. So in the client application, a server would not show up 


09:41 10 


09:41 20 


2] 
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unless it was online. So in the client app, that would be one 


thing, but the website was manual in that respect. 


Q. And how frequently 


is the website updated, if you know? 


A. When we would add cities, it would be a matter of getting 


with the marketing team to let them know to add it, and then 


however long that process took. It could take weeks. 


QO. It could take weeks 


months, correct? 


, but it wouldn't take months or six 


MR. FRANK: Objection. Calls for speculation. 


THE COURT: If you know. 


don't know in that case. 


[t's important for your marketing purposes to have 


accurate lists of available servers, correct? 


MR. FRANK: Objection. Asked and answered. 


THE COURT: Sus 


Are you familiar wit 


Yes. 
And what is it? 


They take snapshots 


tained. 


th the website Wayback Machine? 


of Internet, like, websites, and then 


you can go back to them to see what they look like on a 


historical date. 


22 


23 


24 


25 


MR. FRANK: Objection. Hearsay and lack of 


authenticity. 


EMTSEV: And could we pull up Exhibit 412, 
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i COURT: Well, don't pull it up until he sees it. 


2 MR. FRANK: Your Honor, I object to this being 


3 displayed. 


4 THE IT don't know. It can't be put up on the 


bs screen until 


6 MR. It was just put up on the screen, your 


8 THE COURT: For a nanosecond. 


9 Q. And, sir, you testified that you searched for invoices 


09:42 10 from Micfo prior to December of 2018 related to this IP block; 


11 is that correct? 


12 A. Yes. 


13 Ox And you were not able to locate any invoice that references 


14 this IP block at a time earlier than December of 2018; is that 


15 correct? 


16 A. I believe that to be correct, yes. 


17 : Sir, did you locate any other invoices that referenced the 


£ 


18 server that you were leasing 


rom Micfo indicating that 


19 were assigned to a different IP range? 


09:43 20 ; I didn't. All I did was look for Micfo invoices, and I 


21 those along. I didn't pay much attention to them. You'd 


22 to be more specific. 


23 MR. NEMTSEV: Could we pull up Exhibit 416, which is 


24 in evidence. 


25 Q. Is this one of the invoices that you provided to the 
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1 government in response to their subpoena? 


2 : Whether I provided it, I'm not entirely sure, but it looks 


3 a Micfo invoice just like the rest of them. 


4 : Micfo invoice, this one is marked "paid," is that correct? 


3 ‘ Yes. 


6 . Invoice date is October 25, 2018; is that correct? 


7 F Yes. 


8 ‘ The first item that you're being invoiced for is $415 


9 leasing the Server 07 and assigning it to the IPs 


09:44 10 ~-156.206.2; is that correct? 
11 : Yes. 


12 - And that is not the same as the 104.238 IP address that 


- 


13 government requested you to look 


or, correct? 


14 : So the way that that works is, in order to get the server 


15 up, they provided a set of IPs, a smaller block. So slash 


16 27 in this instance is 32 IP addresses, which is insufficient 


17 for us to provide the services to our end-users. And then we 


18 would go and provide a larger block that we leased out, so you 


19 could have both blocks living on that same exact server. 


09:45 20 Q. But you don't know in this instance, or based on this 


21 invoice, that both blocks were on that server; is that correct? 


22 A. On that invoice, there's nothing that states it. I would 


23 agree. 


24 Q. And, sir, does any StackPath affiliate provide free 


25 services, free VPN services? 
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1 A. That specific time frame that we're talking about? 


Z not believe so, but I cannot be for certain. 


3 O. And you would agree that, in order to use a VPN service, 


4 you would have to sign up with your company StackPath? 


5 A. One of the subsidiaries, yes. 


6 Q. It's either IPVanish or StrongVPN or any other subsidiary, 


7 correct? 

8 A. Correct. 

9 Q. And in order to sign up, you would have to take a name, an 
09:45 10 address, a credit card; is that correct? 
11 : Yes. 


12 : And how much does the service cost, sir? 


13 : Back then, somewhere between $10 a month and $60 a year. 


14 ; Did you ever locate any account records belonging to 


15 . Klyushin, or Mr. Ivan Ermakov, or Mr. Nikolai Rumiantcev? 


16 A. My interaction with the requests that were from the 


LS) government, they never asked. I was never a part of that part. 


18 THE COURT: Say that again? 


19 THE WITNESS: I personally was never asked to look up 


09:46 20 any customer records myself, so I don't know what was provided. 


21 Q. And, sir, do you know what IP geolocation is? 


22 A. 


23 Ox. And in the VPN business, IP geolocation is important, 


24 correct? 


25 MR. FRANK: I object, and this is beyond the scope. 
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al. THE COURT: Overruled. 


2 A. Yes, it is confusing. Say, for example, you went to 


3 connect to a server in Boston, and I think there was a document 


4 from Web20bjects where their corporate address was in New York 


5 City, so it probably looked like New York City. And then you 


6 go to Google Maps, and it thinks you're in New York City. You 


7 try to correct for that. 
8 Q. You try to correct for it. And specifically in VPNs, when 


9 you tell a customer that you are connecting, for example, to a 


09:47 10 Dallas server, they expect everyone else that looks at their IP 


Li to believe that they're from Dallas, Texas? 


12 MR. FRANK: Objection to what other people expect. 


13 THE COURT: Sustained, sustained. 


14 Q. Isn't it important to get IP geolocation correct in 


15 connection with VPN IP addresses? 
16 MR. FRANK: Objection. 
17 COURT: Sustained. 


18 WITNESS: Yes. 


19 COURT: So don't answer when I say "sustained." 


09:47 20 WITNESS: Sorry. 


21 . FRANK: Move to strike. 


22 COURT: I strike it. 


23 . NEMTSEV: Nothing further, your Honor. 


24 COURT: Anything? 


25 . FRANK: Briefly, your Honor. 
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] i iCT EXAMINATION BY MR. FRANK: 


2 . . Wall, you can have multiple blocks of IP addresses on 


3 server, correct? 


5 OQ. Were you absolutely meticulous about maintaining all your 


6 invoices that you paid back in 2018? 
7 A. No. 


8 Q. The 104.238.37 IP address block that we've been talking 


9 about, was it in Boston in 2018? 
09:48 10 A. Yes. 
11 MR. FRANK: No further questions. 


12 THE COURT: Okay, thank you. 


13 Anything else? 


14 MR. NEMTSEV: Nothing further, your Honor. 


15 THE COURT: You can leave, unless you want to stay. 


16 THE WITNESS: No. I'm good. 


17 (Witness excused.) 


18 MR. KOSTO: The United States calls Aditi Shah. 


19 ADITI SHAH 


09:49 20 having been first duly sworn, was examined and testified as 
21 follows: 


22 THE CLERK: You can be seated. Could you please state 


23 and then spell your last name for the record. 


24 THE TNESS: My name is Aditi Shah, and the last name 


25 is S-h-a-h. Aditi, A-d-i-t-1. 
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[RECT EXAM 


NAT 


ON 


BY MR. KOSTO: 


09:50 10 


09:50 20 


21 


22 


23 


24 


25 


Good morning, 


Good morning. 


Ms. Shah. 


Q. Go ahead and pull that microphone nice and close so we can 


all hear you. 


I'll do my best to keep my voice up, and I'd ask 


you to do the same. Okay? 


Okay. 


What city do you work in now, Ms. Shah? 


I work in Raleigh. 


And what company do you work for today? 


Today 


contractor with Cisco, and I am a contractor with Bank of 


America. 


[ work 


for The Select Group, and I work as a 


And what does your contract with those companies involve? 


I work as a senior network engineer for the data center. 


Whose data centers? 


Bank of America's data centers. 


Let me take you back in time to the period between June of 


2017 and February of 2019. Were you working as a network 


engineer somewher 


else? 


what was the name of the company you worked at back 


I was working with Micfo. It was based in Charleston. 


South Carolina? 
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2 QO. And we've heard both Mikefo (Phon) and Micf 


3} right? 


4 ‘ Mikefo (Phon) is the correct pronunciation. 


5 : And what was your job title at Micfo? 


6 : I was still a network engineer with Micfo. 


a THE COURT: I can't understand what you're saying. 


8 Slow down. 


9 THE WI I was working as a network engineer at 
09:51 10 
11 THE COURT: AS a network engineer? 


12 THE WITNESS: Yes, ma'am. 


13 Q. As a network engineer at Micfo, did your job 


14 responsibilities include assigning IP addresses -—- 


LS MR. NEMTSEV: Objection, your Honor. 


16 THE COURT: Overruled. 


ay Q. Did your job responsibilities include assigning 1 


18 addresses to Micfo data centers around the country? 


19 A. Yes, sir. That was part of my job duties. 


09:51 20 Q. Let me direct your attention to Government's Exhibit 267 


21 in evidence and the last page of that exhibit. 


22 Thank you, Ms. Lewis. 


23 I'm showing you the last page of . Do you recognize 
24 


25 . So this is one of the letters that we would normally 
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] receive, like a letter of authorization we would receive from 


2 our clients. 


3 Q. And what is a letter of authorization from your time at 


4 Lcfo? 


5 A. A letter of authorization is required when we are asked to 


6 use or announce a certain IP which doesn't belong to Micfo to 


- our ISP provider. So we need the proof that that IP belongs to 


8 whoever is asking us to use it. 


9 Q. So in the case of Exhibit 267, who did the IP address 


09:52 10 belong to? Who was the authorizing company? 


11 A. In this case, it was the Web20bjects LLC. 


12 : And who was the letter of authorization authorizing to use 


13 IP addresses in this document? 


14 2 It authorizes Micfo. 


15 Q. And can I have you read the first IP block that is 


16 referenced in the group of them there in the third paragraph. 


uk A. Sure. It's "104.238.37.0/24, Boston." 


18 ‘ And what city was listed for that IP? 


19 F Boston. 


09:53 20 : How many cities in total were listed in this letter of 
21 authorization? 
22 : Seven. 
23 : That's Boston, Cleveland, Denver, Milwaukee, Nashville 
24 : Salt Lake City. 


25 ; —- and St. Louis? 
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1 A. 


2 Q. And were any of these any different than any of the others 
3 for your purposes? 

4 A. No. 

5 Or When you received a letter of authorization like this one 


6 from Web20bjects, what would you do with it? 


7 A. So this is essentially telling Micfo that we want these 


8 IPs to be announced in these locations so that we can use them 
9 on our servers, and Micfo was an infrastructure service 


09:54 10 provider, so we did provide those servers as well. 


ala Q. Where would you send this letter of authorization when you 


12 received one? 


13 : We would send it to our ISP providers in each location so 
14 they can announce these. 
15 : First of all, what is announce? 


16 : So announcement 


17 MR. NEMTSEV: Objection, your Honor. 


18 COURT: Well, we're going to stick to the documents. 


19 MR. KOSTO: Sure. 


09:54 20 Q. Who was the ISP provider for Boston? 


21 A. We had multiple providers in most of our locations. We 


22 were in multihomed -—- that is, we had two ISP providers a 


23 case —-- and in Boston we had, as far as I remember, we had 
24 Cogent and GTT. 


25 Q. So what did you do with the letter of authorization —- 
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al what's the date on the letter of authorization? 


2 A. It's May 30, 2018. 


3 Q. And can I take you, please, to Page 6 of Exhibit 267 with 


4 Ms. Lewis' help. 


5 MR. KOSTO: Ms. Lewis, can you highlight the bottom 


6 two-thirds of the page. 


. : Do you see the date on this blown-up part of the document? 
8 ‘ Yes. 
9 : What is it? 


09:55 10 ‘ It's May 30, 2018. 


‘lal ; Is that the date on the letter of authorization? 
12 : Yes. 

13 : And who did you send it to? 

14 : Cogent. 


15 : And what was Cogent again? 


16 : Cogent is an ISP provider, upstream provider. So once we 


17 the data to Cogent, it would be uploaded on the internet; 


£ 


rom these IPs. 


18 can accept the traffic 


19 MR. NEMTSEV: Objection, your Honor. 


09:55 20 THE WITNESS: I'm sorry. 


21 : What did you ask Cogent to do? 


22 THE COURT: I'm having trouble following, so hold on. 


23 MR. KOSTO: May I proceed, your Honor? 


24 THE COURT: I'm not sure what she said, and it's not 


25 clear on here either, so I am not sure what I am striking or 
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1 not, so this is important to you. 


2 Q. Let me go back one step. Ms. Shah, did you send this 
3 email to Cogent? 


4 A. Yes, I did. 


5 O- And in this email, do you see the { IPv4 prefix listed 


6 in bold? 
7 - Yes. 
8 : Could you read it. 


9 . "104,233.37 .0/24." 


09:56 10 : Did this email also include instructions for other cities? 


11 MR. NEMTSEV: Objection. 


12 THE COURT: I haven't heard the question. I'm looking 


13 at the email. We're all looking at the email. What's the 
14 question? 

15 : Could you read the next city on the exhibit. 

16 : Cleveland. 


17 ‘ And is there a different IP for Cleveland? 


18 : Yes, sir. 


19 ; Is there another city beneath that one? 


09:56 20 ‘ Yes, sir, Denver. 


21 - And is there a different IP beneath that one? 


22 : Yes, sir. 


23 : And to the next page, please, Ms. Lewis. Is there another 
24 city, Milwaukee, underneath that one? 


25 A. Yes, sir. 
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1 ‘ And is there another city underneath that one, St. 
2 : Yes, sir. 
3 ‘ What did you ask Cogent to do in this email? 


4 < To accept -- 


5 MR. NEMTSEV: Objection. 


6 THE COURT: Overruled. 


7 A. To accept traffic from the IP prefix mentioned in this 


8 email. 


9 : Let me take you to Page 1 of Exhibit 267. Do you see the 


09:57 10 in the upper left-hand corner of this email? 
Li : Yes, sir. 


12 : Is that May 30th? 


13 . May 30th, 2018. 


14 : Is it the same day as the letter of authorization? 


15 : Yes, sir. 


16 : Is it the same day that you e-mailed Cogent requesting 
ay to add Boston? 


18 : Yes, sir. 


19 ; And could you read Cogent's reply, the "Dear Cogent 


09:57 20 Customer" and the first sentence. 


21 A. Sure. "Dear Cogent customer: Your BGP pret 
22 addition has been completed." 


23 Q. What does it mean, "your BGP prefix-list has been 


24 completed"? 


25 A. BGP is a routing protocol, so we —-- 
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alt THE COURT: Is a what? 


2 THE WITNESS: A routing protocol. 


3 THE COURT: All right. 


4 A. So basically that's the way Micfo and Cogent communicated 


5 was in that protocol, and based on that protocol, this IP would 


6 be now accepted by Cogent to allow traffic to and from these 


7 IPSs. 


8 Q. And what did you do in response to this email? What was 


9 your practice when you received this email back? 


09:58 10 MR. NEMTSEV: Objection. 


11 THE COURT: Sustained. 


12 Q. Okay. Did you ever receive any complaints from your 


13 customer that the IP addresses you sent this day were not 


14 working as intended? 


LS MR. NEMTSEV: Objection. 


16 THE COURT: Sustained. 


LS) : Did you hear anything from your customer -—— 


18 THE COURT: Remember, limited to the documents. 


19 : Did you receive any other communications from Cogent? 
09:59 20 : We would have, but it depends on the date and time related 


21 to what. 


22 MR. KOSTO: No further questions, your Honor. 


23 MR. NEMTSEV: Your Honor, could I be seen at sidebar 


24 for a second? 


25 THE COURT: Sure. 
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MR. 


NEMTS 


EV: Thank you. 


10:00 10 


‘BAR CONFERENCE: 


MR. 


NEMTS 


EV: Based on the representations in my 


opening that there's going to be no Micfo witness, would your 


Honor consider giving an instruction that, you know, it's not 


because 


lied to the jury. It's because they just identified 


this witness and gave us no notice before the start of trial? 


THE COURT: Yes, I will do that to cure that. I'll 


give a curative instruction. 


This is somebody you just found, right? 


MR. FRANK: Yes. 


MR. KOSTO: In response to the defense case. 


THE COURT: Well, it's your case, but nonetheless 


think she's 


useful, if you can understand the accent. But I 


did limit the government to specifically the document we're all 


10:00 20 


21 


22 


23 


24 


25 


ilar with, so, 


okay. 


JRT 


EV: We're not going to ask —- 


: You're not going to cross at all? 


EV: No. 


THE COURT 


: All right. 


(End of sidebar conference.) 


MR. 


NEMTS 


EV: Maybe a couple questions, your Honor. 


THE COURT: I knew it. 


should have done this before. This has been a newly 


named witness because someone who's recently found, basically. 
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1 So does anyone know her? I didn't have her on the witness 


Z list, and the defense didn't find out about her before trial, 


3 so I just wanted -- it's part of this chain in trying to 
4 understand things. So does anyone know her? Okay, that's 


5 fine. Okay, thank you. 


6 CROSS-EXAMINATION BY MR. NEMTS! 


7 : Good morning, Ms. Shah. 


8 ‘ Good morning. 


9 : You and I have never met, correct? 


10:01 10 : Yes, never. 


11 , The first time the government contacted you was sometime 


12 week; is that correct? 
13 : That's correct. 


14 ; And never before have you spoken to anyone, correct? 


15 : No. 
16 : And they sought your testimony through a subpoena; is that 
ay correct? 


18 : Yes. 


19 ‘ And they brought you here over the weekend, correct? 


10:01 20 : Yes, sir. 


21 : How long have you been in Boston? 


22 : I have been just one day. 


23 MR. NEMTSEV: Nothing { 


24 THE COURT: Thank you. 


25 MR. KOSTO: Nothing, your Honor. Thank you. 
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1 THE COURT: Thank you. Sorry you had to stay. 

2 (Witness excused.) 

3 MR. KOSTO: Your Honor, the government calls Karyn 
4 Yanochko. 


5 KARYN YANOCHKO 


6 having been first duly sworn, was examined and testified as 
7 follows: 


8 THE CLERK: Could you please state and spell your last 


10:02 10 THE WITNESS: Sure. My name is Karyn Yanochko, 


11 spelled K-a-r-y-n. Last name is spelled Y-a-n-o-c~-h-k-o. 


12 DIRECT EXAMINATION BY MR. KOSTO: 


13 . Good morning, Ms. Yanochko. 

14 , Good morning. 

15 : Would you please bend that microphone up so we can all 
16 you. 


Ly 5 Sure. 


18 : Try one more time, just your first and last name. 


19 : Karyn Yanochko. 


10:02 20 MR. KOSTO: Can everyone hear? 


21 . Where do you work, Ms. Yanochko? 


22 : I work at the United States Attorney's Office here in the 


23 District of Massachusetts. 


24 F What's your job title at the U.S. Attorney's Office? 


25 : I am a financial investigator. 
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1 ‘ Are you a federal agent? 


2 ‘ T am not. 
3 : Are you a law enforcement agent? 


4 z No. 


5 : How long have you been a financial investigator? 


6 : [t will be two years in April. 


7 : And can you briefly describe to the jury what it is you 


9 : I work with prosecutors and special agents reviewing 


10:03 10 financial documents such as bank statements, wire transfers; 


1] also the supporting documentation like IP log-ins. I summarize 


12 that information and I create charts. 
13 : You sometimes testify at trials? 


14 : I do. 


15 : Where did you work before joining the U.S. Attorney's 


16 fice? 


Ay : I was a contract auditor for the Department of Defense for 


18 seven years. 


19 Q. What did you do there? 


10:03 20 : I analyzed and audited voluminous data which supports the 


21 of major defense contracts. 


22 . Big numbers, I assume? 
23 - Lots of numbers. 


24 ‘ What's your educational background? 


25 . I have a bachelor's degree in accounting from Keystone 


Case 1:21-cr-10104-PBS Document 215 Filed 02/21/23 Page 45 of 167 


1 College and a master's of business administration 


2 University of Hartford. 


3 : Do you hold any professional certifications? 


4 . Yes. I'm a Certified Fraud Examiner. 


5 : What's your involvement in this case specifically? 


6 : So I was asked by the prosecutors to review the downloads, 


7 the information from Donnelly Financial from the 


8 ActiveDisclosure. 


9 Q. And what did you do after analyzing that information in 


10:04 10 general terms? 


11 A. I created a series of summary charts. 


12 Q. And which programs logs did you look at? 


13 A. The program was called the ActiveDisclosure { Donnelly 
14 Financial. 
15 Q. And how much data was in those logs? 


16 A. Millions of lines of data. 


17 Q. And so which specific lines of data were you focused on in 


18 your analysis? 


19 A. The download.ASPX. 


10:04 20 Q. And what kind of data did you analyze and summarize 


21 those download commands? 


22 A. So I summarized information for the download command lines 


23 on the date, the time, the client, and the downloads, and the 


24 IPs. 


25 Q. How about the name of the document that was downloaded? 
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al A. As well as that. 


2 Ox And when you said IPs, just clarify. IP address were 


3 you summarizing? 


4 A. I was summarizing the IP addresses that I was directed to 


5 by the prosecutors. 


6 Q. Were those the IP addresses that connected to Donnelly 
7 Financial? 
8 A. Yes: 
9 ; The ones that downloaded the documents? 
10:05 10 : Yes: 


11 : Okay. What period of time did the logs that you looked at 


12 Donnelly Financial cover? 


13 : From February, 2018, through November of 2020. 


14 ‘ And how did you narrow down the information? What was the 


15 mechanism of sorting through all the rows? 


16 : Sure. I used Excel and a series of filters and formulas. 


17 : Microsoft Excel? 


18 : Yes. 


19 : And you made charts to present your summaries to the jury? 


10:06 20 : Yes. 


21 : Let me show you Government's Exhibit 190, and I 
22 


23 Exhibit 190 received in evidence.) 


24 : u recognize the exhibit? 


25 
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1 j Did you prepare and verify it? 


2 : I. did. 


3 ‘ And what is it? 


4 ‘ This is a chart that I prepared from the Donnelly 


5 Financial ActiveDisclosure download data, specifically for the 


6 download.ASPX command line, for the username RR52260 associated 


7 with Julie Soma's account, for the IP address 89.238.166.235 
8 for October of 2019. 


9 Q. So was this all of the downloads that took place over the 


10:06 LO IP address in blue contained within the dataset? 


11 A. For October, 2019. 


12 Q. And if we wanted to go back and check your chart for its 


13 accuracy, where would we go? 


14 A. You would look up the Donnelly Financial ActiveDisclosure 


16 : Let me show you Government's Exhibit 71K in evidence. 
17 MR. KOSTO: And if we could have 190 on the left, 


18 please, Ms. Lewis. 


19 : So do you recognize 71K on the left? 
10:07 20 : Yes. 


21 - What is that? 


22 : So this is the raw data | Donnelly Financial 


23 ActiveDisclosure. 


24 : So what's the date and time in the raw data? 


25 . Date and time is October 23, 2019, at 10:17. 
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QO. And what is the time reflected on the first line, first 


10:07 10 


10:08 20 


21 


22 


23 


24 


25 


row of your chart? 


A. The date and time is October 23, 2019, at 10:17 Zulu. 


What's the IP address in the raw data on the left, 71K? 


Is 89.238.166.235. 


And where do you see that on Exhibit 190? 


That is in the header. 


And do you recognize any usernames in the raw data on the 


Tudo. 


Where is it 


the left, it is RR52260. 


d that's your summary? 


d that is also my summary. 


F the client reflected in 


d do you recognize the name of 
the raw data? 

Yes. 

And what is it? 


Tesla. 


And is that what appears on your summary? 


Yes. 


And does the name of the document match as well? 


Yes. 


Okay. Did you do this analysis 


IP addresses that you were requested 


for a number of dif! 


Ferent 


to look at? 
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2 : And were many of them tied to Julie Soma's account? 


4 MR. KOSTO: Before we leave that, Ms. Lewis has 


5 suggested that I offer 71K. Thank you. 


6 (Exhibit 71K received in evidence.) 


7 Q. Let's look at Exhibit 191, please. Is this a multipage 


8 document ? 
9 A. 


10:08 10 : What are you summarizing here? 


11 : Here I am summarizing the download.ASPX information 


12 Donnelly Financial ActiveDisclosure for the username 


13 associated with Julie Soma for the -- 


14 Q. I'm sorry. What's the IP address? You were right ahead 
15 of me there. 


16 A. The IP block is 104.238.37 for period of October, 


17 2018, through November, 2018. 


18 MR. KOSTO: Ms. Lewis, can you quickly show 


19 Ms. Yanochko the number of pages in the document. 
10:09 20 Q. How many did you see there, Ms. Yanochko? 


21 A. Four pages. 


22 Q. Approximately how many downloads were there reflected 
23 these pages? 


24 A. There's about 113. 


25 Q. I'd ask you on Page 1, please, from the middle of 


10:10 10 


10:10 20 


21 


22 


23 


24 


25 
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page starting with "Capstead," could you please read aloud the 


companies that are listed in order. You can skip the 


duplicates. 


A. Capstead Mortgage Corporation, Essendant Incorporated, 


Getty Realty Corporation, Microsoft Corporation, Prosperity 


Bank Shares Incorporated, Packaging Corporation of America, 


Stepan Company, Altra Industrial Motion Corporation, Aguila 


Corporation, PGC Partners Incorporated. 


Q. Let me stop you there. Do you notice anything about those 


company names? 


A. They're al 


Did you al 


No. 


E1eal.. 


tize them? 


What is the order that this information is presented in? 


It is presented chronologically. 


And so what's the approximate amount of time that these 


downloads took place in these company names? 


A. It's approximately an hour. 


Ox Let me direct you to Exhibit 176. Can you please read 


aloud on Page 2 the 


A. 104.238.37. 


IP block referenced in the first sentence. 


And what's the entry for city and state reflected in 176? 


Boston, Massachusetts. 


Okay. Let me direct your attention to Exhibit -- and 


that's the IP address that was on the chart we just looked at? 


10:11 10 


Case 1:21-cr-10104-PBS Document 215 Filed 02/21/23 Page 51 of 167 


fiaooue 


0. Let me direct your attention to Exhibit 192. Do you have 


it there? 


Uh-huh. 


Do you recognize it? 


YES 


And what does it summarize? 


This is another char 


t that I crea 


ted based off the 


Donnelly Financial Active 


Disclosure dat 


Se 


downloads 


10:12 20 


21 


22 


23 


24 


25 


November 8, 2019. 


Q. Can I have you read the third row in relation to 


ta, also summarizing the 


for the username associated with Julie Soma for the 


[P address listed in the header for November 6, 2019, through 


and tell the jury what it's summarizing. 


A. Sure. It is on November 6, 2019, 


at 12:54 Zulu and 


4:54 a.m., the Exhibit 99.1 document was downloaded for the 


company Roku Incorporated 


Q. Over Julie Soma's username? 


A. Over Julie Soma's username. 


Q. And did you make a time conversion in connection with your 


summary here? 


I did. 


What's the 4:54:49 seconds time? 


That is the Pacific Time. 


Okay, let's move to 


Exhibit 193. 


T'll ask you if you 
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1 recognize i 


2 A. Yes, I recognize it. 


3 Q. It's fair to say it's another download summary for the 


4 address in blue there? 


5 A. 


6 . Does it concern February 5, 2018? 


7 : It does. 


8 ‘ And it's again on Ms. Soma's account? 


9 : Yes. 


10:12 10 : Let me have you read and summarize for the jury the fourth 


11 fifth rows in relation to Snap Inc. 


12 A. Sure. On February 5, 2018, between 7:16 and 7:18 Zulu, or 


13 11:16 p.m. and 11:18 p.m., the documents Exhibit 99.1 and Snap 


14 Master were downloaded for Snap Incorporated. 


15 MR. KOSTO: Ms. Molloy, I'd offer 190, 191, 192, 193 


16 and just to get ahead of ourselves, 194 and 195 in case I 


17 forget. 


18 (Exhibits 190-195 received in evidence.) 


19 Q. And can you read and convert the time of these downloads 
10:13 20 for the jury in rows 4 and 5. 


21 A. Sure. It's 7:16 and 7:18 in Zulu time and 11:16 and 11:18 


22 in Pacific. 


23 Q. Let's move to the recently offered 194. Is this download 


24 activity over Ms. Soma's account? 


25 A. Yes. 


10:14 10 


10:14 20 


2] 
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Is it for the 


Yes’. 


IP address in blue? 


What time period does it cover? 


For July, 2019. 


Can I have you read and summarize the fifth row only. 


Start with the document that was downloaded. 


So the 99.1 document was downloaded. 


What company? 


For SS&C Technologies Holdings Incorporated. 


And what time of day or night Pacific Time? 


It's 10:09 a.m. 


Okay. Could I 


also please have you read the company list 


from Atlas Air. You can skip any duplicates. 


Atlas Air Worldwide Holdings, Inc., Abiomed incorporated, 


Apartment Investment and Management Company, British American 


Tobacco PRC, Chemours Company, Coherus Bioscience Incorporated. 


Q. T'll stop you 


about the order of 


A. They're alphabetical. 


there. What, if anything, do you notice 


the companies? 


Q. Let's move to Exhibit 195. I believe it's been offered. 


22 


23 


24 


25 


Is this another of your summaries? 


Does it date to May, 2019, concerning the IP address in 
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al. : Over Ms. Soma's account? 
2 . Yes. 
3 ‘ These are all downloads at that time? 


4 F Yes. 


5 : And can I have you please read the entry related to Kohl's 


6 Corporation about midway down the page. 


7 A. On May 20, 2019, at 12:29 Zulu, or 5:29 a.m. Pacific, the 


8 Exhibit 99.1 document was downloaded for Kohl's Corporation. 


9 MR. KOSTO: Let's move, please, to Exhibit 195A, and, 


10:15 10 Ms. Lewis, I'd offer it. 


11 (Exhibit 195A received in evidence.) 


12 Q. What's the IP address for this summary, Ms. Yanochko? 


13 A. PLO. 204. 194.214. 


14 Q. Approximately how many downloads are there in May, 2019, 


15 for this IP address? 


16 A. Approximately ten. 


Ly QO. Please read the row the fourth from the bottom. 


18 A. On May 9, 2018, at 7:48 Zulu, or 12:48 a.m., the HVNP 


£ 


or Horizon Pharma PLC. 


19 master document was downloaded 


10:16 20 OO” What time is that on the West Coast of the United States? 
21 A. That's 12:48 a.m. 


22 MR. KOSTO: Let's move to Exhibit 195D, please, and 


23 I ffer it. 


24 Just a few more, Ms. Yanochko. 


25 (Exhibit 195D received in evidence.) 


10:16 10 


Case 1:21-cr-10104-PBS Document 215 Filed 02/21/23 Page 55 of 167 


Q. 


A. 


Financial 


What is this one? 


Another document that I created from that Donnelly 


ActiveDisclosure data. 


for Sleep Number, 


Could you read the IP address, please. 


Sure. It's 199.249.230.42. 


What's the date? 


On October 11, 2019. 


What's the Pacific Time range? 


The Pacific time range is 5:01 a.m. through 5:11 a.m. 


And what are the last three documents that were downloaded 


A. 


Alcoa, and M&T Bank? 


EX99.1, EX99.1, and Exhibit 99.1. 


MR. KOSTO: Let's move to Exhibit 195F, please, and 


fer it. 


10:17 20 


21 


22 


23 


24 


25 


Q. 


(Exhibit 195F 


received in evidence.) 


This one looks a ] 


ittle bit different, Ms. Yanochko; is 


that correct? 


A. 


Yes, but it's from the same download information from 


Donnelly Financial. 


Q. 


And which IP address does this concern? I don't see any 


listed in the title. 


A. 


So for this chart, 


I've used all of the IP addresses 


associated with the username RR522 for Julie Soma, excluding 


the 


Q. 


Donnelly Financial 


home office VPN IP address. 


You said you excluded the home office VPN? 


10:18 10 


10:18 20 


21 


22 


23 


24 


25 
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A. Yes. 


Q. Okay. Approximately how many downloads were there in this 


dataset that you're summarizing here? 


this graph, there's about 2,300 accounts. 


over the Soma account? 


over the Soma account. 


how are you showing them on this exhibit in 


particular? This one's a little new. 


A. So this one, I grouped 


them by hour. 


Q. And how did you do that? Let's say there was downloaded 


at 12:30 in the afternoon, 


where would that fit in your chart? 


A. So that would fall under the 12:00 p.m. hour. 


Q. And how about 10:45 p.m., even though it's close to 


11:00 p.m.? 


A. It would still fall under 10:00 p.m. 


Q. So you rounded down essentially? 


A. I just used the hour. 


Q. That's a better way of saying it. Thank you. What was 


the time period reflected on your summary where the smallest 


number of downloads occurred? 


And what time zone are 


Between 3:00 p.m. and 8:00 p.m. 


we in here? 


This is in the Pacific 


What was the timing o! 


largest number of downloads 


Time zone. 
the period of the day when the 


appeared to take place over 


10:19 10 


10:19 20 


21 


22 


23 


24 


25 
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Ms. Soma's account? 
A. 5:00 a.m. 


MR. KOSTO: Let's move to Government's Exhibit 195F on 


ft, please, and 195E on the right. And I'd offer 195E 


f I haven't. 


Exhibit 195E received in evidence.) 


So we've added 195E. Is that another summary you prepared? 

Yes. 

How does it relate to 195F? 

So it's the same information from 195F, then translated 
into Moscow Standard Time. 


Q. And how far ahead of Universal Zulu Time is Moscow 


Standard Time? 
from Zulu to Moscow, it's three hours ahead. 


Dp 


[In 195E, what is the time when the least downloads appear 


to take place over Ms. Soma's account? 


A. Between 1:00 a.m. and 7:00 a.m. 
Q. And what is the time period where the most downloads 


appear to take place over Ms. Soma's account? 


A. 4:00 p.m. 


Q. And so, again, what is the relationship between the data 


summarized in 195E Moscow time and 195F Pacific Time? 


A. So it's the same information, just shifted for the time 


MR. KOSTO: Let's move to Exhibit 195B, and I 


10:20 10 


10:20 20 


21 


22 


23 


24 


25 
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(Exhibit 195B received in evidence.) 


What are you summarizing in 195B? 


it 


And 


And 


Cou 


aie 


It's the ActiveDisclosure download information, but this 


summarizes the information for the username associated 


there are 


Hyeyoung Han for the IP addresses listed above. 


three there? 


there are 


three. 


ld I have you read the middle one. 


is 199.249.223.130. 


And what's the time period? 


From October 28, 2019, through April 30, 2020. 


for Ms. 


Does this chart work the same way as the one you prepared 


Soma's downloads? 


A. Yes. 


Yes. 


Everything rounded down to the hour? 


And what time zone is this one set in? 


So this one is set in Korean Standard Time. 


And how many downloads, just to illustrate, were there 


between, 


say, 7:00 and 8:00 p.m.? 


About 120. 


And what about noon Korea time? 


Zer 


oO. 


3:00 p.m. Korean time? 
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al 7 Zero. 


2 ‘ Did you allow for Daylight Savings Time in this chart? 
3 ; So Korean Standard Time doesn't observe Daylight Savings. 


4 MR. KOSTO: Let's add, please, Ms. Lewis, and I'd 


5 fer Government Exhibit 195C alongside 195B. 


6 (Exhibit 195C received in evidence.) 


7 : What is 195C? 


8 : It's the same chart as 195B but now in Moscow Standard 


10:21 10 QO. And what's the time difference between Moscow Standard and 


11 Korea Standard? 

12 A. Six hours. 

13 Q. And in Moscow Standard Time, what is the range of hours in 
14 which the largest number of downloads occurred? 


15 A. Between 1:00 p.m. and 5:00 p.m. 


16 Ox And the smallest number of downloads in Moscow Standard 
1] Time? 


18 A. 11:00 p.m. through 9:00 a.m. 


19 Os Let me show you Government's Exhibit 195H, please. 


10:22 20 A. So another chart that I created based on the Donnelly 


2] Financial download data, but this time just for the one 


22 specific IP address listed above for the account associated 


23 with Julie Soma's username. 


24 Q. Could I have you read the IP address aloud in blue. 


25 A. Sure. It's 64.42.179.159. 
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i Q. And what's the time period? 

2 A. From October 24, 2019, through November 26, 2019. 

3 Q. Approximately how many downloads were there in this 
4 dataset? 


5 A. Approximately 120. 


6 Q. When do all of them take place Pacific Time? 


7 A. They all take place between 1:00 a.m. and 7:00 a.m. 


8 Q. I'm showing you Government's Exhibit 195G. How does 195G 


9 relate to 195H? 


10:23 10 MR. KOSTO: I'd offer both H and G, Ms. Molloy. 


12 (Exhibits 195H and 195G received in evidence.) 


13 A. So this is the same chart as 195H, but the previous chart 


14 just shifted into Moscow Standard Time. 


15 Q. Are the downloads between 12:00 and 6:00 in the afternoon 
16 Moscow Standard Time? 


17 A. 


18 or Let's move to Government Exhibit 1951. think this is 


19 our last one, Ms. Yanochko. 


10:23 20 THE COURT: Thi i the last -- 


21 MR. KOSTO: is is the last summary chart. 


22 THE COURT: this witness? 


23 MR. KOSTO: is. I'm sorry, your Honor. 
24 is the question? 


25 THE COURT: the last exhibit with this 
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alt witness? 


2 MR. KOSTO: It 


3 THE COURT: Are you done with the witness? 


4 MR. KOSTO: Yes. I'd like to ask her about this 


5 chart, and then we'll be done with this witness. 


6 THE COURT: Thank you. I'm just —- Ms. Molloy needs 


7 to go somewhere, so we'll switch out with Clary, and I just 


8 want to make sure that we're getting all the exhibits in. 


9 MR. KOSTO: Would the Court like to pause for a minute 


10:23 10 now and stretch, or should we keep going? 


11 THE COURT: No. Just finish this witness. Are you 


12 going to have cross with her? 


13 MR. NEMTSEV: will, your Honor. 


14 THE COURT: Do you need the charts to come back up 


16 MR. NEMTSEV: Potentially, yes. At least one or two. 


17 THE COURT: Okay, so if you're —- 


18 Okay, Clary can do this. I just wanted to make sure. 


19 MR. KOSTO: We'll leave it with Ms. Lewis and she'll 
10:24 20 be able to help, as well. 


21 THE COURT: Okay, thank you. I'm sure Clary can do it 


22 as well. I just want to make sure we don't -- this is 


23 seamless. 


24 MR. KOSTO: Even though Ms. Molloy just got up, 


25 going to offer 195IT. Sorry, Ms. Molloy. 
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al (Exhibit 195I received in evidence.) 


2 Q. This is a slightly different-looking summary. 
3 prepare this one? 


4 A. I did. 


5 OF And so help us understand what you did here. What is this 


6 summary? 


7 A. So this summary summarizes all of the Donnelly Financial 


8 ActiveDisclosure download data for -- all the download data 


9 excluding the IP address associated with the Donnelly Financial 


10:24 10 VPN, and then I grouped them by month for this chart, and each 


11 of these were assigned a color. 


12 ‘ asked you to exclude the Donnelly Financial corporate 


14 : prosecutors. 
is) s what are the last names of the five users whose 


16 downloads you're summarizing here? 


17 A. Soma, Han, Gray, Lewis, Gebremariam. 


18 Q. And what are the percentages in the box, the lower box? 


19 A. The percentages represent how much of this dataset those 


10:25 20 usernames represented. 


21 Oo. So how many downloads are in this dataset? 


22 : Approximately 2,900. 


23 Q. So when you say 80 percent in parentheses next to 
24 Ms. Soma, how many of the 2,900, approximately, was her account 


25 responsible for? 


10:26 10 


10:27 20 


21 


22 


23 


24 


25 
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Q. 


Approximately 2,300. 


Okay. 


time goes 


A. 


Q. 


March, 


It's 


Blue 


And what is the up-down axis on this chart, if 


Ea 


from left to right, month by month? 

the number of downloads. 

from the period February of 2018 through November 
December of 2020, what is the primary color there? 


for Julie Soma. 


And then what does it shift to in January, February, 


It sh 


and April? 


ifts to red. 


And who is red? 


That would be Hyeyoung Han. 


And in May, what does it shift from and to? 


It sh 


ifts to blue for Lewis. 


Would you agree with me that that's purple? 


Sorry 


. Purple. 


Or purplish. And then on to green and on to aquamarine? 


YES’ s 


MR. KOSTO: May I have one moment, your Honor. 


( 


Discussion between government attorneys.) 


MR. KOSTO: Nothing further, your Honor. 


THE COURT: Okay. 


CROSS-EXAM 


NAT 


ON BY MR. NEMTSEV: 


Q. 


A. 


Good morning, Ms. Yanochko. 


Good morning. 


10:27 10 


10:28 20 


21 


22 


23 


24 


25 
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is Max Nemtsev -- 


RT: Unh=uh. 


EV: Louder or slower? 


Louder, louder. 


MR. IMTSEV: All right. Thank you, Judge. 


You and I have never met before, correct? 


That is correct. 
We've never spoken before, correct? 
That is correct. 


Have you been watching the trial as it goes along? 


I have not. 


And you prepared these analyses and these summary charts 


at the request of the prosecutors in this case, Mr. Kosto and 
Mr. Frank? 


A. 


Q. And they provided you with the information necessary to 


create these charts; is that correct? 


A. The information was provided through them. 


Q. And they provided to you what they want to see in these 
charts, correct? 


A. Yes. 


Q. They told you, for example, to limit your analysis to the 


download at ASPX; is that correct? 
A. 


Q. And they told you to convert PST to, for example, Moscow 
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al Central Time, correct? 


2 A. Yes. 


3 Q. And you have no knowledge whether anything happened in 


4 Moscow, correct? 


5 A. I don't have any knowledge of anything that would indicate 


6 why the time zones would be one or another, no. 


7 Q. This was just at the request of the prosecutors, correct? 
8 A. 


9 Q. And you would agree that in UTCt+3, there's significantly 


10:28 10 more countries and significantly more cities than just Moscow 
11 or Russia? 


12 ; I'm actually not sure exactly what falls into 3. 


13 : £ represent to you that there are 19 countries that 


14 into UTC+3 -- 


15 MR. KOSTO: Objection, foundation. 


16 THE COURT: Do you know one way or another? 


LS) THE WITNESS: I don't know. 


18 THE COURT: Okay. 


19 Q. UTC+2, are you familiar with that time zone? 


10:29 20 A. Like, I understand that there is a time zone of because 


21 each one of them have a number, but I'm not sure what it 
22 represents. 

23 Q. So UTC+2 is just an hour away from UTCt3? 

24 


25 ; UTC+4 is just an hour away from UTC+3 as well, correct? 
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1. : Yes. That sounds right. 


2 : UTC+2 is just, I guess, an hour behind UTC+3, correct? 

3 ; Right. 

4 ‘ So UTC+2, do you know how many countries are within that 
5 zone? 

6 : No. 


7 é And Zulu time is what, based on your review? 


8 : In the context of this, it's the time stamp that was 


9 located within the data that I reviewed. 


10:30 10 Q. Yes, but you converted Zulu into, for example, Pacifi 
11 Central, correct? 
12 A. Correct. 


13 : So Zulu is which time zone on the UTC universe? 


14 : It represents, like, the starting point from which the 


15 time zones -- 


16 THE COURT: Do you know what city? 


17 THE WITNESS: Oh, it's in London. 


18 Q. So it's in London. So London is about three hours behind 


19 Moscow, one hour behind Paris. It's fair to say it's two hours 


10:30 20 behind Athens? 


21 F If that's where Athens is located, then, yes. 
22 . So UTC —-- 


23 THE COURT: She doesn't know, so I think you're going 


24 to have to do this ina different way. 


25 Q. You also reviewed millions of line items and log files; is 
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a. that correct? 


2 A. I didn't review millions. I know that they represent the 


3 universe from which the information was retrieved from. 


4 O. Did you do the retrieval? Did you yourself search 


is download.ASPX? 


6 A. From the millions of lines of data, I did not pull it 


7 myself. 


8 : Somebody else did that for you? 


9 . And then I validated it. 


10:31 10 2 Was it Mr. Kosto or Mr. Frank? 


11 . I don't believe it was either one of them. 


12 : Mr. Kosto asked you to testify about Exhibit 176. It was 


13 letter regarding certain IP addresses. Do you recall that? 


14 5 Yes. 


15 : Do you have any knowledge whether that IP address was 


16 actually on a Boston server? 


Ly A. I don't know. 


18 O:. Could we pull up Exhibit 1951. This is one of the last 


19 charts that you testified about, correct? 

10:31 20 A. Yes. 
21 Q. And this is a chart that continues from February 5, 2018, 
22 to November 2, 2020, correct? 
23 


24 : You didn't listen to the testimony in this case, correct? 


25 . I didn't listen to any of the testimony. 


10:32 10 
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Q. And you didn't listen to the testimony of Mr. Hartvigson, 


who described the accounts that were affected by -- 


question? 


MR. KOSTO: 


THE COURT: 


MR. KOSTO: 


THE COURT: 


Object 


have 


He's s 


Overru 


ion. 


n't heard the question yet. 


tating another witness's testimony. 


led. 


Do you know anything about that witness -- what's the 


You didn't hear any witness, so is there another way 


of framing the question? 


QO. Mr. 


Frank and Mr. Kost 


these five accounts, 


A. So t 


data that 


Correc 


o specifically asked you to include 


1 ae 


hese specific five accounts were included within the 


received, 


which 


then verified as to the universe. 


QO. And you don't know whether the witness that was 


responsible for investigating the intrusions testified whether 


these five accounts were involved in the intrusion, do you? 


A. I don't 


MR. NEMTSEV: 


COURT: 


MR. KOSTO: 


THE COURT: 


know anything about that. 


Nothing further. 


Anythi 
Nothin 


Thank 


(Witness excused.) 


MR. KOSTO: 


U-1-t-t-o:. 


May 


ng? 
g. 


you. You may step down. 


I proceed, your Honor? Erik Uitto, 
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1 ERIK UITTO 


2 having been first duly sworn, was examined and testified as 


3 follows: 


4 THE CLERK: Please state your name, and please spell 


5 it for the Court Reporter. 


6 THE WITNESS: My name is Eric Uitto, and it's spelled 


7 E-r-i-k. Last name is spelled U-i-t-t-o. 


= 


8 THE COURT: Now, make sure you speak nice and loudly 


9 so that your voice catches. Why don't you say your name again 


10:34 10 so you can hear your voice catch. 


11 THE WITNESS: My name is Erik Uitto. 


12 THE COURT: Okay. 
13 MR. KOSTO: May I proceed? 


14 THE COURT: Yes. 


15 I ECT EXAMINATION BY MR. KOSTO: 


16 g Where do you work, Mr. Uitto? 


17 : I work for the Federal Bureau of Investigation. 


18 : And what city do you work in? 


19 : I work in Huntsville, Alabama. 


10:34 20 , What's your title at the FBI? 


21 ‘ I am an IT specialist/forensic examiner. 


22 : Are you a law enforcement agent? 


23 - I am not, no. 


24 j And do you work within a particular division at the FBI? 


25 : Yes. I work within the Operational Technology Division. 
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al. : Is that sometimes referred to as OTD? 


2 . Yes. 


3 ‘ And what is OTD's task? 


4 : So we fight crime through technology. 


5 THE COURT: You know, I can barely hear you. See, you 
6 can hear your voice catch if you move it close to your mouth. 
7 All right, so what's the division you're in again? 


8 THE WITNESS: I'm in the Operational Technology 


9 Division. 
10:35 10 THE COURT: Great. 
11 : Use your halfway between inside and outside voice maybe. 
12 ; Okay. 
13 : And what does OTD do? 


14 ; So we fight crime through technology. 


15 : And within that -—- that's a pretty broad statement -- what 


16 is your role in that process? 


Ay < So I specifically work in the area of digital forensics. 


18 : How far did you go in school? 


19 : I have a master's degree in computer science. 


10:35 20 : And do you also have a bachelor's degree in information 


21 and computer science? 


22 


23 ; How long have you been an employee of the F 


24 : It's about 14 years now. 


25 : And you mentioned you're in digital forensics and your 
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1 title is forensic examiner. Can you tell the jury what it isa 


2 forensic examiner does. 


3 A. So I support the agents. We go out and collect digital 


4 evidence. So we may go assist them during search warrants. 


5 We'll help seize servers, laptops, computers, telephones, those 


6 sorts of things. And then we'll bring them back to a 


. laboratory environment, and there we'll analyze and process the 


8 devices and then write reports about them, and let the agent 


9 know what we find, and also we'll provide testimony in court 


10:36 10 like I am here. 


11 Ox What is the CART team, C-A-R-T? 


12 A. So CART stands for Computer Analysis Response Team, and 


13 it's the group within the FBI that's over all the digital 


14 forensic examiners like me. 


15 , so you're on the CART team? 


17 : Do you hold any certifications relevant to your work as a 


18 digital forensic analyst? 


19 Yes. 


10:36 20 : Can you name a few of them. 


£ 


21 F So I have certi 


ications from the FBI, internal ones, ones 


22 that cover Windows forensics. There's one for Unix forensics, 
23 cellphone forensics, Macintosh or Mac forensics. 
24 Q. You've named Windows, Unix, and Apple? 


25 A. 
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i : Are each of those different operating systems? 
2 ‘ Yes. 

3 : And they work in different ways? 

4 : Yes. 

5 : So you get training on each of them? 


6 : Yes. 


. : Do you have any training in relation to malware? 


8 : I do, yes. 


9 And what is that? 


10:37 10 : So I have a certification, a GREM certification from an 


11 organization called SANS. 


12 Q. SANS, S-A-N-S? 


13 A. Yes. It's an outside organization. It's not government 


14 owned. It's privately run. 


15 Q. And what does your training in malware from SANS mean you 


16 know about? 


17 A. So there is a week-long training and certification that 


18 they offer, and it covers the topics of identifying malware and 


19 analyzing it and finding out how it works. 
10:38 20 Q. And what is malware? 


21 A. So malware is software that you don't want on your 


22 computer or device. It often takes actions without the consent 


23 of the owner or the user. 


24 Q. I think you mentioned that your training from SANS 


25 involved reverse engineering malware; is that right? 
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al ; Yes. 


2 : And so what does it mean to reverse engineer malware? 


i : That's looking at how it works, finding the details of 
4 ‘ Taking it apart, putting it back together? 


3 ‘ Yes. 


6 ‘ In addition to your certifications, have you led trainings 


7 within the FBI on digital forensics? 


8 A. 


9 Q. Have you attended trainings inside and outside the F 


10:38 10 the same topic? 


12 ‘ have you testified in court concerning your work in 
13 computer forensics? 
14 A. 


15 Q. What kind of matters have you testified about? 


16 ‘ In a computer intrusion case and then two human 


17 fficking cases. 


18 Q. And what kind of computers have you generally examined in 


19 connection with your work? 


10:39 20 A. All three of those involved server computers. I have also 


21 examined laptops and desktops. 

22 Q. Server, is that the physical box that contains the 
23 computer? 

24 A. 


25 Q. And what did you do for a living before you joined the 
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2 : I was a systems engineer working as a contractor for the 


3 Navy. 


4 Q. And over the course of your time at the FBI, how many 
5 forensic exams would you say you performed on servers, laptops, 
6 phones, computers? 


7 A. It's in the hundreds. 


8 MR. KOSTO: Your Honor, the government would offer 


9 . Uitto pursuant to Rule 702 in digital forensics. 


10:39 10 THE COURT: All right. He can render an opinion. 


11 Q. Now, in the course of your work, have you examined 


12 something called "virtual servers" or "virtual computers"? 


14 ; Everybody in this room is looking for a good definition of 


15 virtual servers, so here's your chance. 


16 A. Okay. So a virtual server is a physical machine that can 


ay run multiple operating systems. So you're probably familiar 


18 with Windows or Mac or Linux, these types of operating systems. 


19 You can have one physical machine that runs multiple operating 


10:40 20 systems. It could have three Windows operating systems running 
21 on the one physical machine, plus two Linux ones. 
22 : All in the same physical box? 


23 : Yes. 


24 ; All with the same power cord? 


25 . Yes. 
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al: : All with the same Internet connection? 
2 . Yes. 


3 : And have you examined virtual servers over the course of 


4 career in forensics? 

5 : Yes. 

6 : And can you have as many virtual servers as you want in 
7 one physical box, one physical computer? 


8 A. Usually there is a limit. 


9 Q. What's the outer limit for how many you could have? 


10:41 10 A. It's all the computer resources, so how much memory and 
11 processors you have. 


12 Q. So the more powerful the physical computer, maybe the more 


13 virtual servers you can have in it? 


14 A. 


15 QO. And what is the advantage as an operator of running a 
16 virtual server, as opposed to having a physical computer? 


17 A. So if you're running just one physical machine, it's often 


18 more efficient than running multiple independent ones, multiple 


19 physical machines. 
10:41 20 Q. Why is that? 


21 A. It saves on energy, it saves on cooling costs, these sorts 


22 of things. 


23 Q. So if you have a datacenter, you can pay for one spot, not 
24 


25 


Case 1:21-cr-10104-PBS Document 215 Filed 02/21/23 Page 76 of 167 


i Q. Do you need to be in any particular place as a 
Z access a virtual server? 
3 A. Yeah, so servers usually don't sit in front of it when 


4 you're working with it. You can be anywhere in the world, 


5 really. 

6 Q. And how is it that you access a virtual server if you're 

7 not next to it? 

8 A. Virtual servers, you can often use a username and password 


9 to log in remotely. 


10:42 10 Q. Let me direct you to the period of time beginning in or 


11 about July, 2020, and thereafter. Did you do digital forensics 


12 in connection with this investigation? 
13 : Yes. 
14 ; And who asked you to do that? 


LS : It was Special Agent David Hitchcock of the FBI. 


16 : And what did he ask you to look at? 


£ 


nine virtual servers. 


Ly : He asked me to look at a total o 


18 ‘ And do you know where they came from? 


19 : Yes. 
10:42 20 : Where did they come from? 


21 , There were three that came from a virtual service provider 


22 called Digital Ocean, and there was six that came from a 


23 provider name Vultr. It's spelled V-u-l-t-r. 
24 Q. And what are DigitalOcean and Vultr? 


25 A. So they are both virtual server providers. They rent 
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al. servers over the Internet to users around the world. 


2 : if I had an account with DigitalOcean, I could sit down 
3 with a username and a log-in and get to a virtual server? 


4 A. 


5 Ow And was each of the nine computers that you looked at a 
6 virtual server? 


7 A. 


8 Q. And did Agent Hitchcock task you with any forensic 


9 responsibilities? What did he ask you to do? 


10:43 10 A. So he wanted to know what or how the servers were 


11 configured and what they were doing. He also wanted to know 


12 information about the people running them, including potentially 


13 identifying them. He also wanted to know if there was any 


14 software known as Empire PowerShell. 


15 : if I have you right, three tasks: who was operating 


Ly P Yes. 


18 ‘ And what was going on on the machine? 


19 Yes. 


10:44 20 ; And whether there was Empire PowerShell on these machines? 


21 : Yes. 
22 : Let me ask you first some questions about how these nine 


23 computers you looked at were set up. First of all, remind us 


24 one more time, how many? 


25 A. There was nine servers in total. 
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1 ‘ rom what company? 


2 ‘ from Vultr and three from DigitalOcean. 
3 Q. And how did you keep track of each one? How did you 


4 distinguish among them? 


5 A. So there was an IP address or Internet protocol address 


6 assigned to each. 


7 ; Each of the nine had their own IP address? 


8 : Yes. 


9 ; And did each of the nine also have a name that was 


10:44 10 associated with it? 


11 : . 1 identified that through my forensic exam. 


£ 


for your testimony today, did you work with 


12 ‘ In preparation 
13 my office to prepare a visual aid? 

14 A. Yes. 

15 Q. And would it assist you in explaining your forensic work 
16 to the jury? 


Ly A. It would. 


18 MR. KOSTO: Your Honor, may I flip the physical 


19 version of this chalk around? 
10:45 20 THE COURT: To whom? 
21 MR. KOSTO: To the jury. 


22 COURT: I haven't seen it yet. 


23 MR. KOSTO: Ms. Lewis, would you please put it up on 


24 the screen. I don't think there's any objection to it. 


25 THE COURT: You've all seen it? 
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i . KOSTO: We showed it to Mr. Nemtsev, yes. 


2 . NEMTSEV: Yes. 


3 COURT: All right, so that's what I have on the 
4 right, thank you. There's no objection. 


5 . KOSTO: Thank you, Mr. Frank. If you'd flip that 


6 around. 


. : Is what you have on your screen the same thing as what the 


8 has in physical form, as well as on their screens? 


9 : Yes. 


10:45 10 ; And we'll call it Exhibit DDI Lf that's okay. 


11 . Okay. 


12 ‘ Do you recognize it? 


13 : I do. 


14 - What is it? 


15 : So this is a digital depiction of the servers that 


16 examined on the right there, so they each have a number on 
17 them, 1 through 9. 


18 : Let me focus you first on the computers numbered 1 through 


19 . Do you see them there? 


10:46 20 : Yes. 
21 : Are they kind of in a sideways V configuration? 
22 : Yes. 


23 : Okay. And what do computers 1 through 7 show on this 


24 Exhibit DDD? 


25 A. They functioned as gatekeepers for the furthest machine to 
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1 the right, server number 8. 
2 Q. And when you say "gatekeeper," is there a technical 
3 for that? 


4 A. Yes. So the technical term is a "reverse proxy." 


5 On Can you explain to the jury, in a easy for me to 
6 understand way, what a reverse proxy or gatekeeper is in 
7 chart, 1 through 7. 


£ 


8 A. Yes. So in this chart, it would function -- so the seven 


9 that are in that V formation, they would pass traffic to server 


10:47 10 number 8, if it was coming from an infected machine; and if it 


11 was something else, it would send the traffic to some other 


12 website. 

13 Q. there software that served this gatekeeping function 
14 on these virtual machines? 

15 A. 


16 3 And what was it called? 


Ay : The software is called NGINX. It's spelled N-G-I 


18 ; And were computers 1 through 7 each running NGINX? 


19 Yes. 


10:47 20 ; And which computer were the seven gatekeepers serving as a 


21 gatekeeper for? 
22 A. For the server number 8 on the right, the Empire server. 


23 Q. You call it the Empire server on the chart. Why do you 


24 call it that? 


25 A. That is the server where I identified Empire PowerShell, 
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i one of the three items that Agent Hitchcock asked me to look 


2 for. 


i) Q. Based on your examination, and you can certainly refer to 


4 the chart, what were the names associated with computers 1 


5 through 7? 
6 A. So the first one was www.smartfinancelist.com. And server 
7 number 2, www.scoreyourmoney.com. Server number 3, 


8 www.developingcloud.info. Server number 4, 


9 cloudAPIfinance.info. Server number 5, www.finshopland.me. 


10:48 10 Server number 6, www.shopservice.live. And server number 7, 


11 www.Appfinreport.info. 


12 Q. What's wrong with number 9 up there? Why is he off on his 


14 A. So they had the same software NGINX running, but it was 


15 not configured as the other ones to function as a gatekeeper. 


16 It wasn't set up in the same way. 


ay Q. And you have traffic lights next to each of 1 through 7; 


18 is that right? 


19 A. 
10:49 20 Q. What would happen, the way these computers were 


£ 


21 configured, if a network administrator typed in, say, 


£ 


22 "cloudapifinance.info" in their browser? 


23 A. So it would send that network administrator to another 


24 website. It would prevent the traffic from going to server 


25 number 8, the Empire server. 
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1 : Let's look at how that might work. 
2 MR. KOSTO: Ms. Lewis, would you please bring up 


3 Government's Exhibit 158. 


4 ‘ Do you recognize this? 
5 ; Yes. 


6 : And there's a lot going on there, but what is it? 


i . It is a configuration file for the NGINX reverse proxy 


8 software. 


9 Q. And this is a file related to the gatekeeper? 


10:50 10 A. 


Li MR. KOSTO: Okay, and I'd offer 158. 


12 Exhibit 158 received in evidence.) 


13 MR. KOSTO: There's a lot of text going on there, but 


14 if you take us, Ms. Lewis, to just about that spot where it 


LS says "financecloudAPI.com." 


16 : Do you see that there, Mr. Uitto? 


Ly 7 Yes. 


18 ‘ Can you explain in laymen's terms what this file is 


19 showing about the Gatekeeper program. 


10:50 20 A. So you'll see three pieces of text: Mozilla cloud, check 


21 news, and check date, sort of near the middle there. 


22 QO. What does Mozilla cloud, check news, and check date have 


23 to do with any of this? 


24 A. It's looking for information from the connecting client. 


25 Q. So if the communication comes in to the Gatekeeper, is the 
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i Gatekeeper looking for those specific words? 


2 A. 


3 Q. And if it sees those words, where does the communication 


4 get to go? 


3 A. It will pass the traffic on to server number 8, the Empire 


6 server. 


7 Q. And if the software doesn't see those words "Mozilla 
8 cloud, check news, and check date," what happens to the 


9 communication? 


10:51 10 A. Down at the bottom there is references to a website. It 
11 would send it there, the finance.strands.com/products/strands- 
12 api-hub. 


13 : So that's what happens if the magic words aren't there? 


14 : Yes. So if it's not an infected machine, then it would 
15 it to this other website. 


16 MR. KOSTO: And I ask you to bring up Exhibit 158A, 


Ly I'd offer it. 


18 (Exhibit 158A received in evidence.) 


19 : Can you read the top or the beginning of the domain. 


10:52 20 3 It is strands.com. 


21 : And what is this website in relation to the Gatekeeper? 


22 : It appears to be the third website that traffic would be 


23 sent to. So if it's not an infected machine, this is where it 


24 would be sent, the traffic. 


25 Q. Is this what an administrator would see if they typed in 
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1 "cloudapifinance.info"? 
2 A. Yes. 
3 MR. KOSTO: So, Ms. Lewis, if you'd move Exhibit 158 


4 to the right, and I'd ask you to bring up Exhibit 240 in 


5 evidence. 


6 Q. And just as a reminder, on the left is the Gatekeeper, 


7 right? On the left is the Gatekeeper, correct? 


8 A. Yes. 


9 Q. And it's looking for "Mozilla cloud, check news, and check 
10:52 10 date," right? 


11 A. 


12 Q. Could I have you take us —- first of all, could I have you 


13 read us the name of the machine in the bottom third of 


14 Exhibit 240, next to the word "computer." 


15 A. So next to computer there, it says 


16 USD10846.1TM. ToppanMerrill.com. 


A} MR. KOSTO: Ms. Lewis, would you take us to Page 5 of 


18 Exhibit 240, the last dozen or so lines. 


19 : In Exhibit 40, Mr. Uitto, do you see reference to the word 


10:53 20 lla cloud"? 


21 A. Yes. It's in the center there, a little towards the left, 


22 "Mozilla cloud," and then behind it is "Apple Web." 


23 Q. Do you also see reference in Exhibit 240 to the words 


24 "check news" and "check date"? 


25 A. Yes, the third line from the bottom. 
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1 i And do you see a reference to cloudAPIfinance.info? 


Z : Yes, over to the left. 


3 O;. And is that the same domain that's in the Gatekeeper 


4 exhibit that we've been looking at? 


5 A. 


6 Q. So would a communication that had this code in it from 


7 Exhibit 240, would that get to the Empire server, or would it 


8 get rejected and sent to the website? 


9 A. It would get to the Empire server, so it would be passed 
10:54 10 through. 


11] Q. Why? 


12 A. Because it contains that text that it was looking f 


13 specifically "Mozilla cloud" and "check news." 


14 : if an administrator was trying to figure out what 


iS) [finance.com was and they didn't have "check news, check 


16 or "Mozilla cloud," would they be able to? 


18 Q. Practically speaking, what function was the Gatekeeper 


19 computer serving here? 


10:54 20 A. It would, yeah, only prevent infected machines giving them 


21 access to server 8 and blocking all the rest. 


22 Q. And you said earlier that server number 8 was called the 


23 Empire server? 


24 A. Yes. 


25 Q. Because it had Empire PowerShell on it? 
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2 ‘ What is Empire PowerShell? 
3 : So it's software that can be used to remotely control a 


4 machine. 


5 On Let's discuss some things that you found. Did you look in 


6 the PowerShell server, the Empire server, number 8? 


7 A. 


8 Q. Let's discuss some things you found there. I'm showing 


9 you and offering Exhibit 159 —- 


10:55 10 MR. KOSTO: Unless the Court would like to stop now 
11 and give everyone a break. 

12 THE COURT: How much more do you have with this 

13 witness? 


14 MR. KOSTO: More than five minutes and less than 20. 


iS) THE COURT: Till 11:00, and then we'll take our break. 


16 ; I showing you Government Exhibit 159. Do you recognize 


19 F What is it? 


10:55 20 : So this is an agent log file regarding one of fected 


21 machines. 

22 ; can you read the name of the infected machine under 
23 "username." 

24 : host name? 


25 


10:56 10 
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"USD10846." 


And where did you find this log file, agent.log file? 


This was on server number 8, the sort of first on the 


right on the chart. 


The one behind the Gatekeepers? 


YES). 


And what is an agent.log file? 


£ 


So it contains information from one of the infected 


machines. 


THE COURT: Infected" means what, again? 


THE WITNESS: That there is unwanted software running 


on the machine. 


Q. 


A. 


Where in this case were the infected machines from? 


So in the log, agent.log, there is the reference to the 


domain Toppanmerrill.com, as well as that host name for the 


full 


USD10846.TM. Toppanmerill.com. 


10:57 20 


21 


22 


23 


24 


25 


So it's fair to say the log is reflecting communications 
Toppan Merrill? 


Yes. 


But this isn't a Toppan Merrill log, is it? 


It's not. This is from server number 8, the Empire 


PowerShell server. 


Q. 


Okay. And why would the Empire PowerShell server have 


communications from a Toppan Merrill computer in it? 


A. 


Since it was controlled through this Empire PowerShell. 


Case 1:21-cr-10104-PBS Document 215 Filed 02/21/23 Page 88 of 167 


i THE COURT: So was that Toppan Merrill's? 


2 THE WITNESS: So I did not examine Toppan Merrill's 
3 systems but -- 


4 THE COURT: Whose server was it, this Empire shell? 


5 THE WITNESS: So server number 8 on the right, so the 


7 THE COURT: Yes, but who's was it? Do you know? 


8 Q. What company hosted the servers numbers 1 through 8, or 1 


9 through 9? 


10:57 10 A. It was either either DigitalOcean or Vultr. 


11 Ox So these were computers that were rented at DigitalOcean 
12 and Vultr that you examined? 


13 A. Yes. 


14 Q. And these were servers that were obtained by the FBI 


LS during the course of its investigation? 


LS) Q. And do they have domain names that were related to the 


18 investigation in some way? 


10:58 20 Q. So that's why you were looking at these particular 
21 computers? 
22 


23 : Okay. Now, on Exhibit 159, is there a date? 


24 : There is. 


25 i What's the date? 


10:58 10 


10:59 20 


21 


22 


23 


24 


25 
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A. December 23, 2019. 


Q. And does this log tell you what kind of activity was going 


on on that Toppan Merrill computer? 


A. 


Q. What is the name of the software program that was running, 


according to this log, on Toppan Merrill's network? 


A. Yeah, so the process name there was RDTEVC. 


MR. KOSTO: Okay, Ms. Lewis, would you put 


left and bring up Government's Exhibit 240, Page 1, 


evidence. And make that just a tiny bit bigger. 


240 is from where, 


Mr. Uitto? 


So this one on the right? 


Yeah. What company's logs are those? 


It appears to be from Toppanmerrill.com. 


And what's the machine name? 


USD10846.TM.Toppanmerrill.com. 


And does Exhibit 240 tell 


159 on the 


in 


you the name of the software 


program that was running on Toppan Merrill's network? 


A. Yes. There's a line for "host application," 


very end, it contains R 


DT 


EVC.exe. 


and at the 


Ox And so how does the RDTEVC on the right in Exhibit 240 


relate to the RDTEVC on 


A. So that's the infect 


the logs on the left on 


ted process that sent -- 


the left in Exhibit 159? 


the PowerShell server. 


that created 


Q. The same program running in 240 on the right and reflected 
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1 in the logs on server number 8 on the le! 


2 A. Yes. 


3 MR. KOSTO: Is this a good time, your Honor? 


4 THE COURT: This is a good time. It would be great to 


5 see you at sidebar for a minute. 
6 (Jury excused.) 


7 THE COURT: You can step down, sir. 


8 sorry. 


9 SIDEBAR CONFERENCE: 


11:01 10 THE COURT: How much longer with him? 


11 MR. KOSTO: Fifteen minutes. 


12 MR. NEMTSEV: Ten? 


13 THE COURT: This is incomprehensible to me. 


14 idea what you're talking about, and if that's true for 


LS perhaps it's true for the jury. I don't understand —- 


16 a way of sort of 


A} MR. KOSTO: I'm happy to -- 


18 THE COURT: Are you going to sum up at the end, in 


19 terms of why this all matters? 


11:01 20 MR. KOSTO: Of course, your Honor. 


AL THE COURT: How does it matter here? I was worried 


22 


23 MR. KOSTO: These are the six computers that were 


24 rented at DigitalOcean and Vultr that the victim companies were 


25 communicating with, that Toppan Merrill provided to the FBI 
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£ 


A The FBI went to Namecheap and found this domain. 


2 THE COURT: Are they bad computers? Are they -- 


3 MR. FRANK: These are the hackers' computers. 


4 MR. KOSTO: These are the hackers' computers. 


5 THE COURT: That's not clear. From the get-go, that's 


6 not clear. And does that track back somehow -- you know, 


7 there's all these lines of code. Does it track back to M-13? 


8 MR. FRANK: We already presented the evidence that it 


9 tracked back. These are the domain names that they found at 
11:02 10 Toppan Merrill. 
11 THE COURT: Right. 


12 MR. FRANK: The domain names came back to Namecheap. 


13 Namecheap came back to DigitalOcean and Vultr, and that's what 
14 we went through with Agent Hitchcock. 
iS) THE COURT: Yes. 


16 MR. FRANK: So all those IP addresses traced back, and 


A} now we're looking at the actual computers from DigitalOcean and 


18 Vultr. So those domain names were placed on those rented 


19 computer servers. 

11:02 20 THE COURT: Yes? 
21 MR. FRANK: That's these eight computers. 
22 COURT: Can't you just say that in seven questions? 
23 . FRANK: Sure, we will clear that up, and then what 


24 


25 : We're looking at all this code. 
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i . FERNICH: He's just trying to read the report. 


2 COURT: Let me just say this: A, it's deadening, 


3 ! incomprehensible. 
4 MR. FRANK: Judge, it's meeting our burden. We -—- 
5 THE COURT: Excuse me. You've got to only meet a 


6 burden by making it understandable. 


7 MR. FRANK: The reason it's relevant is because the 
8 malware that was found on the Toppan Merrill system, which 
9 Mr. Kosto will establish that the way that the hackers 


11:03 10 controlled the Toppan Merrill computers and got it to export 


£ 


idential information, that same malware was found on 


Aad. the con 


12 these servers, which we've tied to M-13. 


13 MR. KOSTO: Mr. Brawner testified about -- 


14 THE COURT: Excuse me, excuse me. Let me just say 


15 this: I'm not doubting that it's relevant. I'm just saying 


16 it's not comprehensible about where we are going. We're 


£ 


for me anyway, who never took computer 


Ly looking through -- 


18 science, and my bet is none of these except maybe one guy, has 


19 no idea why they're looking at all this. 


11:03 20 MR. KOSTO: We'll clear it up, your Honor. 


21 COURT: All right. So then who's the next 
22 witness? 


23 : : Mr. Kenney, Bitcoin. 


24 : Is he going to be clearer? 


25 : : Yes, I think —-- well, we have a different 
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1 opinion about the clarity, but Mr. Kenney will testify about 


2 the Bitcoin analysis that he performed. 


3 MR. FERNICH: It's going to be worse. 


4 THE COURT: Is it going to be worse? 


5 MR. KOSTO: Respectfully, I don't think that Mr. Fernic 


6 has met the witness or talked to him. 


7 THE COURT: I'm not saying this guy isn't relevant. 


8 I'm just saying it's hard to figure out where this is going. 

9 MR. FRANK: The reality is, the burden that we have 
11:04 10 is, these are sophisticated hackers using very sophisticated 
11 techniques. 


12 THE COURT: Let me just say this: That may be. 


13 got to be understandable. 


14 MR. KOSTO: I understand. 


15 THE COURT: Now, the next thing is, so the Bitcoin guy 


16 takes how long? 


ike) MR. KOSTO: Thirty-five minutes on direct. 


18 COURT: Okay, in plain English. 


19 . KOSTO: Yes. 


11:04 20 COURT: And then how long on cross? 


21 . NEMTSEV: Ten? 


22 COURT: And then who? 


23 MR. FRANK: It looks like we'll probably get to 


24 Mr. Clarke, to start Mr. Clarke today. 


25 MR. NEMTSEV: We haven't discussed Mr. Clarke. We 


Case 1:21-cr-10104-PBS Document 215 Filed 02/21/23 Page 94 of 167 


7-94 


1 have objections to some of the exhibits that he wants to put in 


2 and -—-— 


3 THE COURT: Well, we'll see how far we get. But let 


4 me just say this: What I'd like you to work on Clarke is the 


5 way we talk about "trillion." So a limiting instruction, if 


6 someone drafts it for me, I'd be happy to do it. 


7 MR. FRANK: We'll draft it. 


8 THE COURT: That was the big issue, I remember, 


9 coming out of 


11:05 10 MR. FERNICH: On the last two columns of the chart. 


de. THE COURT: I haven't seen the chart. 


12 MR. FERNICH: He testified -—- 


13 (Cross-talk. 


14 THE COURT: I don't remember them, so that —-- 


15 MR. FERNICH: That's what incorporates what they're 


16 calling the p-value, which is a different way of expressing the 


17 ratio of one in a trillion, or whatever it was. 


18 THE COURT: So we won't put that up until af 


19 resolved that question. 


11:05 20 Okay. Now, one last question is with the woman who 


21 did the summary charts from the office? 


22 MR. KOSTO: Ms. Yanochko. 


23 THE COURT: Some of those IP addresses you emphasized 


24 in the beginning of your discussion with the agent yesterday. 


25 MR. KOSTO: Yes. 
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alk THE COURT: They were familiar to me, and I remembered 


2 them, but a bunch of the IP addresses I didn't recognize. 
3 MR. KOSTO: Yes. 


4 THE COURT: But they may not realize that we haven't 


is discussed them, so I want to be clear to them. 


6 MR. FRANK: Your Honor, it's all they used many 


i addresses as part of the conspiracy. 

8 THE COURT: What? 

9 MR. FRANK: 110. We're not going to trace each and 
11:06 10 every one back. 


11 THE COURT: Excuse me, excuse me. That may be, but no 


12 one, except maybe you all, have memorized all of them. And so 


13 you very nicely yesterday tied back 189 and 119, or something 


14 like that, and the 104, so we've got three, but a bunch of them 


15 I don't remember having discussed before. 


16 MR. KOSTO: And what we might suggest is that it's not 


LS) so important which IP address they came from but what was 


18 happening with that IP address: the same downloads, the same 


19 user, the same companies, the same kind of information, all of 


11:06 20 which ties it to the actors. 
21 THE COURT: Was there trading by these --— 
22 MR. FRANK: Yes. 


23 COURT: That's the key. 


24 . FRANK: We haven't gotten there yet. 


25 . KOSTO: It's coming. 
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al THE COURT: But you'll tie that in, those downloads, 


2 even though we don't recognize the IP address? 


3 MR. FRANK: That's correct. 


4 MR. KOSTO: There's a lot of different kinds of 


5 evidence that has -- 
6 (Cross-talk.) 


a THE COURT: Good luck to you. Good luck to you. 


8 You're going to have some experts who are going to sort of try 


9 and explain it? 


11:07 10 MR. NEMTSEV: Yeah. I'm trying to figure out -- your 


11 Honor told them Thursday, but I don't think it's going to be 
12 Thursday. Wednesday? 


13 MR. FRANK: If we start Mr. Clarke today, then your 


14 experts, unless you have some massively long cross of 


15 Mr. Clarke, will be in tomorrow. 


16 THE COURT: So you might want to have them here. 


17 MR. NEMTSEV: don't know if I can get both of them 


18 here, though. 


19 THE COURT: One anyway. And am I going to be getting 
11:07 20 anything on the jury instructions? 
21 MR. KOSTO: Yes, your Honor, three or four pages with 
22 some minor suggestions. 


23 THE COURT: That's fine. Just, you know, if there's 


24 anything we need to look up. We've been doing a lot of 


25 research on venue, I have to say, which turns out to be 
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] interesting issue. The Second Circuit requires a jury to try 


2 it on venue if there are disputed facts, which there are here. 


3 The Ninth Circuit suggested special interrogatories, which none 


4 of you seem to want. 


is MR. NEMTSEV: We don't want that. 


6 THE COURT: You've said "no" too, so you're both on 


7 the same page. If you agree, which is rare, I agree. 


8 And then, as far as I'm concerned, while there is some 


9 leeway for a judge if it's undisputed facts, I think there are 


11:08 10 disputed facts here, so it will go to the jury. 


11 MR. FERNICH: And I'd like to be heard on that at 


12 Rule 29 time, either orally or in writing. I'm not sure -—- I'm 


13 working it in my head right now —- what I want to do with that. 


14 THE COURT: Maybe. I understand you have a real 


15 don't even know if Rule 29 applies here, but if it does, let me 


16 just say this: I'm not dealing with that issue. I'm dealing 


£ 


17 with the issue of -—- it turns out Judge Woodlock wrote a very 


18 nice opinion saying it was unsettled in the First Circuit, as 


19 usual, but basically most circuits I think are trying venue 


11:08 20 when there are disputed facts. 


21 MR. FERNICH: Yes. And I think that even taking the 


22 facts in the light most favorable to the government, they 


23 haven't established venue as a matter of law. 


24 THE COURT: Then it will be going to the jury. 


25 MR. FERNICH: Okay. 
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1 THE COURT: Okay? I haven't heard the whole case yet, 


2 but at least 


3 MR. FE : I understand, I understand. 


4 THE I don't want to spend the time. We all 


bs need a break. 


6 (End of sidebar conference.) 


7 (A recess was taken, 11:09 a.m.) 


8 (Resumed at 11:38 a.m.) 


9 THE CLERK: All rise. 


11:37 10 (The Court entered the courtroom.) 
11 MR. FRANK: Your Honor, we have a proposed instruction 


12 for Mr. Clarke. 


13 THE COURT: Mr. Clarke? 

14 MR. FRANK: For his testimony. 
15 THE COURT: Okay. 

16 (Handed up instruction.) 


ike) Did you share it? 


18 MR. NEMTSEV: Now they did. 


19 (Pause.) 


11:38 20 THE COURT: Okay. So you guys can play with it, if 


21 something else. 


22 Can I also say that I need a copy of this chalk for 


23 the record, if we have one printed out. 


24 MR. KOSTO: We'll print one for you, your Honor. 


25 THE COURT: Yeah, I think we need to keep that in the 
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2 Could you just move it a little bit, because it blocks 


3 fF the jurors, so I can't see them. 

4 MR. KOSTO: Sure. 

5 (Pause. ) 

6 THE COURT: Where is the witness? 


a MR. KOSTO: We'll bring him 


8 THE CLERK: All rise for th 


9 (Jury entered the courtroom. 


11:40 10 THE COURT: Okay. Power on until 1:00. Let's go. 


all Sir, you may sit down, and you're still under oath. 


12 I'm speaking only for myself, but as someone who's not 


£ 


13 a computer scientist, i 


you could just sort of speak in plain 


14 language so we can really follow this, it would be helpful. 


15 They're all laughing. They must all have PhDs in 


16 computer science, I'm sure. But it's a little hard to follow, 
ay so maybe take baby steps. 


18 All right, go ahead. 


19 MR. KOSTO: In that vein, may I continue, your Honor? 
11:40 20 THE COURT: Yes. 


21 BY MR. KOSTO: 


22 Q. Let's go back about a hundred feet, Mr. Uitto. 


23 First of all, in your illustration, your chart, 


24 computers 1 through 9, are those the ones on the right-hand 


25 side of your chart? 
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1 . Yes. 
2 : Computers 1 through 7 were that gatekeeper, right? 
i : Yes. 


4 ‘ Okay. And computer 8 is the one we've been calling the 


5 Empire server, right? 
6 : Yes: 


7 . That's the one with PowerShell on it. 


8 : That's correct. 


9 : And just remind us where computers 1 through 8 came from. 


11:41 10 Where were they in the internet? 


11 A. They came from the two providers, DigitalOcean and Vultr. 


12 Q. And that's even actually written down in the left-hand 


13 corner of your illustration, right? 


14 A. 


LS Q. We've got computers number 1 and 2 came from DigitalOcean, 
16 right? 
17 ‘ Yes. 


18 ‘ And computers numbers 3 through 7 and 9 came from Vultr? 


19 Correct. 


11:41 20 ; And these were the servers that you examined? 


21 : Yes. 
22 THE COURT: And they're not Toppan Merrill servers, 


23 


24 THE WITNESS: That's correct. 


25 THE COURT: When you called them "infected," what did 


11:42 10 


11:42 20 


21 


22 


23 


24 


25 
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you mean by infected? 


THE WITNESS: So there's logs contained from Toppan 
Merrill servers, logged information -- 


THE COURT: Is it the hacker's servers? 


MR. KOSTO: I think I can clear this up, your Honor. 


THE COURT: Okay, go ahead. 


BY MR. KOSTO: 


So 1 through 8 are what you looked at? 
Yes. 


And there was malware on those computers, right? 


Yes, I would call it malware. 


And those were the ones from DigitalOcean and Vultr? 


Yes. 
Those are the hacker's computers, right? 


Yes. 


The computer on the left in your chart is Toppan Merrill, 
right? 
Yes, the Toppan Merrill network or computers, yes. 


Toppan Merrill is the alleged victim in this case, right? 


Yes. 


And your chart is designed to show communications between 


the victim computers and the hacker computers, right? 


A. Yes. 
O. And what happened to those communications when they got to 


the hacker computers? 
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al A. They were stored, some of them, or the logs were stored 

2 there. 

3 : And you found them when you did your forensic analysis on 
4 hacker computers? 

5 ; Yes:. 


6 : And what we're looking at with these exhibits is what 


7 found on the hacker comput right? 


9 : And occasionally, we're going to put up an exhibit that 


11:43 10 from the victim's computers, yes? 


12 Q. And we're going to compare what was on the victim's 

13 computers with what was found on the hacker's computers; is 
14 that right? 

15 A. That's correct. 

16 Q. All right. Let's try it once and see how it goes. 

17 THE COURT: So is 8 a hacker computer? 


18 THE WITNESS: Yes. 


19 BY MR. KOSTO: 


11:43 20 Q. And is number 8 the computer that you've been calling the 


21 Empire server? 


22 : Yes. 
23 ; And why did you call it that? 


24 : That's where the Empire PowerShell software was running. 


25 : And PowerShell was one of the things that Special Agent 
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1 Hitchcock asked to you look for, right? 


2 : Yes. 


3 : Because it was also found on the victim's computer. 
4 ‘ That's correct. 
5 THE COURT: And what's PowerShell? 


6 THE WITNESS: Empire PowerShell, I would call it 


8 THE COURT: All right. So that's what you're calling 


9 the malware? 


11:43 10 THE WITNESS: Yeah. Microsoft, they have software 


11 known as Windows Defender that runs by default on the Windows 


12 operating system, and they classify Empire PowerShell agents as 


13 malware. 


14 THE COURT: So the malware is on 8? 


15 THE WITNESS: It controls the malware that's 


16 BY MR. KOSTO: 


17 Q. Excuse me, Mr. Uitto, is the malware also on 


18 victim's computers? 


11:44 20 : in the examples we're going to be going over here 
21 today, is it the same malware that's on the victim's computers 


22 and the hacker's computers? 


23 A. It's the agent or the client, while 8 is the server that 
24 controls -—- 


25 Or Let's take a look at one of them and see what happens, 


11:44 10 


11:45 20 


21 


22 


23 


24 


25 
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okay? 
A. 


Q. 


Okay. 


Let's bring back up Exhibit 159. 


7-104 


You testified before break that this was an agent.log 


Let's start with the simple question of what 


ind this file on? Forget 


A. 


serve 


£ 


from? 


what's in it, just 


computer did 


where did it 


This came from the server furthest on the right, the 


r number 8 or the Empire server. 


Okay. So the hacker computer? 


Yes. 


Okay. And you found this file in the hacker computer? 


Yes. 


And this file, number -—- this file is -- it's gota 


computer name associated with it, a host name. 


That's correct. 
Can you read that aloud? 


So it is USD10846. 


Even though that says "US 


On server number 8. 


Not on a Toppan Merrill computer, 


That's correct. 


D," where did you 


find this? 


on the hacker computer? 


And what does the fact that there's a computer named -- a 
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1 log of a computer named 10846 on the hacker computer tell you? 


2 ‘ It tells me that this machine was infected -- this machine 


3 I did not examine, but there are log files from it. 


4 : So there's a Toppan Merrill machine that's communicating 


5 1 the hacker machine, and that machine is named USD10846, 


6 ight? 
7 F Yes. 


8 Q. Okay. What's the date that this infected computer at 


9 Toppan Merrill communicated with the hacker computer number 8? 


11:45 10 A. December 23rd, 2019. 

11 Ox And is there something on this log that you found that 
12 tells you the name of the program that was running on the 
13 victim's computer at Toppan Merrill? 

14 A. Yes, the process name line, and that reads rdtevc. 

15 Q. And is process another name for computer program? 


16 A. 


17 Q. So this is a log that shows that a program named RDTE 


18 was running on a Toppan Merrill computer, right? 


19 : Yes. 


11:46 20 : But it's stored in the hacker computer? 


21 : That's right. 


22 ‘ The log is stored there, but it's a record of what's going 
23 on at Toppan Merrill? 
24 


25 
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al. THE COURT: Is that the malware? 


2 THE WITNESS: rd —-- 


3 BY MR. KOSTO: 


4 Q. What is RDTEVC? 


5 A. So that is the Empire PowerShell agent, one of them. So, 
6 yes, that would be -—- if you ran it, Windows Defender, it would 


7 classify that as malware. So Microsoft would call Empire 


8 PowerShell agent's malware. 


9 Q. And what does PowerShell do? You can call it anything, 


11:47 10 right? You can call it RDTEVC? 


11 , That's probably a randomly chosen name. 


12 : But no matter what it's called, what does it do? 


13 : So it allows it to be remotely controlled and accessed. 


14 ; Allows what to be remotely controlled and accessed? 
LS : The infected machine. 

16 THE COURT: That means you're the hacker machine? 
17 When you say "infected machine," are you referring to the 


18 hacker machine or the victim machine? 


19 THE WITNESS: Victim machine. 


11:47 20 THE COURT: So when you say "infected" -—- you've been 


21 using that term a lot sometimes it's the hacker and 


22 sometimes it's the victim? 


23 THE WITNESS: I think the two terms we've used are 


24 "malware" and "infected," and we've used 


25 BY MR. KOSTO: 


11:48 10 
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Q. Let's just —-- if we can, Mr. Uitto, let's use "hacking 


computer" and "victim computer." 


A. Okay. 


Q. When you refer to infected machines, are you referring to 


the hacking computer 
A. Victim. 
THE COURT: 


THE WITNESS 


THE COURT: 


THE WITNESS 


BY MR. KOSTO: 


11:48 20 


21 


22 


23 


24 


25 


or the victim computer? 


So 1 through 7 are what? 
: Those are all hacker machines. 
Those are all hacker, not infected? 


: That's right. 


And how about number 8? 


That's also a hacker machine. 


And the infected computer on your chart is where? 


On the very far 


Lett. 


The one that says "Toppan Merrill" underneath it? 


Yes:< 


Now, you've talked about this program, PowerShell, running 


on the infected machine, the machine at Toppan Merrill. 


A. Yes. 


Q. And what was the name of the program that was running on 


the machine at Toppan Merrill, the victim's computer? 


A. It was that RDT! 


Q. Okay. And what 


EVC. 


date was it running on? 


A. December 23, 2019. 
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al: ; we now see Exhibit 240 on the left. 


2 Mr. Uitto, is it fair to say that Exhibit 240 comes 
3 from the victim machine? 

4 ‘ Yes. 

5 ‘ The one at Toppan Merrill? 

6 : That's correct. 

. : And you know that how? 


8 < So there's a line down at the bottom, computer, and it 


11:49 10 : What is the domain there? 


11 : It was toppanmerrill.com. 


12 : So that tells you this is a log from the victim computer? 


13 : Yes. 


14 ; And does the log from the victim computer on the left tell 


15 you the name of the program that was running on this computer? 


17 : Can you read it aloud? 


18 A. So at the very end of that long line there, it's 


19 rdtevc.exe. 


11:49 20 Q. And so when you examine forensically this computer out 


21 there at DigitalOcean and Vultr, and you see RDTEVC on the 


22 hacker's computer and you see RDTEVC on the victim's computer, 


23 what does it tell you about the relationship between the 


24 hacker's computer and the victim computer? 


25 A. That they were communicating and that that's where it 
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1 communicated through. 

2 0. They were communicating with each other? 

3 A. 

4 O.. And what program were they using to communicate with each 


bs other? 


6 A. Empire PowerShell. 


. Q. And is the same date on the hacker's computer and the 
8 victim computer? 


9 A. Yes. 


11:50 10 Q. And let me ask you one more guestion about the log | 


11 the hacker's computer. 


12 About midway down the page, do you see an IP address 


13 labeled "External IP"? 


14 . Yes. 


is) s This is in Exhibit 159, the hacker's computer. 


16 Can you read that aloud? 


17 : Yes, the IP address is 45.77.65.69. 


18 ‘ Okay. Let's pause for a second. 


19 Do you recognize that IP address? 
11:50 20 : I do. 


21 : Is it a hacker computer or a victim computer? 


22 : It's a hacker computer. 
23 : And is it one of the hacker computers that is on 
24 chart? 


25 A. Yes. 
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al. QO. Which one? 


2 A. It's -—- so the V-shaped formation, it's the very one at 


3 the tip, server number 4, I believe it is. 


4 Q. So 45.77.65.69 was computer number 4? 


6 : I’m going to direct your attention to page 48. We're 


- going to skip way far down in Exhibit 159. Baby steps, though. 


8 A lot of code here. We're not going to focus on all 


se 


9 of it, Special Agent Uitto. Two full paragraphs from the 


11:51 10 bottom -- 
da. MR. KOSTO: You can take down the one on the left, 


12 Ms. Lewis. Thank you. 


13 Q. full paragraphs from the bottom, with the date 


14 12/25/19 at 10:51:24, do you see that? 


16 : Just a reminder, which computers where did you find 
17 log? 


18 : This was on server number 8, or the Empire server. 


19 THE COURT: The hacker. 
11:52 20 ‘ The hacker computer? 


21 F Yes, the hacker. 


22 : One of the hacker computers? 


23 : That's correct. 


24 : And do you see the name of the program that's running 


25 the hacker computer? 
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al : I do. 


2 < And what is the name there? 


3 ; It is migrate.exe. 
4 : And what is migrate.exe? 


PY ag 


5 : So from other information I found on another system, it is 


6 actually different software known as PuTTY. 


7 Q. Okay. Is something -—- 


8 THE COURT: It's different software, what? 


9 THE WITNESS: Known as PuTlTY. 


11:52 10 BY MR. KOSTO: 


11 Ox And what does PuTTY do ordinarily, just in very, very 
12 basic terms? 

13 A. So it's a way of making a secure connection between two 
14 computers. 

15 Q. And when something is renamed, in your opinion, why 

16 renamed from what it's called PuTTY to something called 

17 migrate.exe? 


18 2 To hide what it is. 


19 : Can you go out and buy migrate.exe? 


It's a free software, so PuTTY is free. 


11:53 20 


21 : But you'd have to rename it to migrate? 
22 : Yes. 


23 : What does the renaming tell you about the use of that 


24 ftware? 


25 . So that it -—- they're trying to hide it. 


Case 1:21-cr-10104-PBS Document 215 Filed 02/21/23 Page 112 of 167 


7-112 


i : And the "they" in this case who is trying to hide it is 


2 Not by name. 


3 : The attackers. 


4 ‘ The attackers, the hackers? 
5 : Yes. 


6 : At the bottom of this line of the paragraph Ms. Lewis has 


7 highlighted, do you see the name tjerome? 


9 : Does that name mean anything to you as you sit here today? 
11:53 10 : That is the username that was used to log into server 
11 number 4. 
12 Q. Let's pause there for a sec. 
13 So what computer logged into server number 4? 


14 A. So that was the USD10846, the Toppan Merrill, the infected 


15 machine. 
16 Q. So a victim machine logged into computer number 4 in the 
ay diagram? 


18 : Yes. 


19 F And what username did it use? 


11:53 20 : tjerome. 


21 : And when did that take place, that login from the victim 
22 computer to the hacker computers? 


23 A. It was on December 25th of 2019. 


24 Q. Now, just a few more questions about this exhibit from the 


25 hacking computer. 
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al Do you see on page 49 at 1:14 in the afternoon —--— 


2 MR. KOSTO: If you'll highlight that section, please, 
3 . Lewis. 

4 : First of all, do you see tm.toppanmerrill.com? 

5 ‘ Yes. 


6 : What does that tell you is going on in this line of code? 


7 Where did you find this code? We're still in the 
8 agent log, right? 
9 : Yes, so this was on server number 8. 

11:54 10 ; This is from the hacker computers, right? 

11 : Hacker computer, yes. 


12 ‘ And what is going on in this line of code? Put it in the 


13 plainest of English. 
14 A. So the infected machine is being -- 


is) Q. The victim machine? 


16 A. The victim machine is using -- or being used to check if 


Ly another machine is online. 


18 Ou What's the number for the other machine that the victim 


19 machine is looking for? 


11:55 20 : USD11150.tm.toppanmerrill.com. 


21 Q. So this is one victim machine reaching out to talk to 
22 another victim machine? 


23 


24 : But where was this little snippet of code found? Was it 


25 found on the victim machines? 
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al : No. 


2 : Where was it found? 


i : It was found on server number 8, the Empire server. 
4 ‘ The hacker -- 

5 : The hacker machine. 

6 : Okay. Now, one last question here. 

- At 1:15 on the next page, 1:15 p.m. —- 


8 MR. KOSTO: 13:15:00 on Christmas Day, Ms. Lewis, do 


9 you have it there? Thank you. 


11:55 10 : I'm not going to get deep into this, but do you see the 
11 words "netsh"? 
12 : YES. 


13 : And what is netsh doing? 


14 : This command is opening a connection between two machines. 


LS : Okay. Which two machines are communicating with each 
16 other? 
17 : So both of them are victim machines. 


18 : can we tell what the victim machines are saying to one 


19 another? 
11:56 20 - No. 


21 : Why is that? 


22 : The connections would be encrypted. 
23 : And so how does that help or hurt the attack to have the 


24 communications encrypted? 


25 A. It would be difficult for those that are looking for 
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1 attacks to know what's going on. 

2 Q. Like a system administrator. 

3 A. 

4 O. All right. Let's go to a different one and hopefully an 
5 easier one. Thanks for your patience, Mr. Uitto. 


6 MR. KOSTO: Can we please have 160, Ms. Lewis, and I 


7 offer it. 


8 (Exhibit 160 received into evidence.) 


9 : Do you have it in front of you, Mr. Uitto? 


11:56 10 : Yes. 


11 : Is this another agent.log file? 


12 ‘ Yes, it is. So it's from another victim machine. 
13 : Okay. And which computer did you find this log file on, 
14 the hacker computers or the victim computers? 


LS A. Victim computer. Or this was on the -—- the hacker 


16 computer I found this log. 


ay Q. Okay. And does the information in this log tell you 


18 anything about the victim computer? 


19 i Yes, there was a host name and a username. 


11:57 20 : What was the username for the victim computer? 


21 : It's -- there's a username line there, and it's rbehm. 


22 ‘ And what was the name of this machine that was being 


23 recorded here? 


24 z That's the host name line, and that is USL10986. 


25 : Okay. And does this log show a connection between a 


11:58 10 


11:58 20 


21 


22 


23 


24 


25 
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victim machine and a hacking machine? 


A. Yes. 


Which of the hacking machines does it show a connection 


line label 


ed "External _I IP there is 


45.77.33.100. 


Q. And is 


but is t 


Yes, 


that an 


hat an 


[ believe 


IP address -- you don't have to memorize 


IP address that's already on your chart? 


it's near the bottom. 


Which computer number is that one? 


MR. 


Yes. 


MR. 


address. 


QO. So Ms. 


KOSTO: 


KOSTO: 


I don't see the chart. I'd have to —-- 


I think Ms. Lewis could bring it up for 


I think it's the bottom one. 


Do you see computer number 7 at the bottom? 


Ms. Lewis, could you highlight the 


Lewis has just highlighted computer number 7's 


unique IP address, 


Yes. 


And what's the 


communicatin 


g to? 


correct: 


IP address? 


It's 45.77.33.100. 


Is that the same IP address that the victim computer was 


11:59 10 
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January 17th of 


All right 


2019. 
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. Were you able to identify by name the 


administrators of the hacking computers? 


11:59 20 


21 


22 


23 


24 


25 


Q. 


A. 


number 8 


very 


Why not? 


They were sophisticated. 


N 


EMTS 


EV: 


THE COURT: 


What steps, 


BY MR. KOSTO: 


You said sophisticated. 


object, 


Overruled. 


your Honor. 


could you tell? 


They took steps to hide who they 


Why do you say sophisticated? 


This setup that we see in the diagram where server 


is kind of hidden, 


sophisticat 


How about 


ted setup. 


the use of PowerShell in this way? 


Yes, this was -—- that's a -—- not a simple tool 


one that takes some knowledge and know-how how 


hacking tool. 


Q. 


or attempted to be hidden, that's a 


to use. 


to use that 


What does the use of this hacking tool tell you about what 


the hackers understood about computing? 


A. 


They had an intimate knowledge of —-- 


MR. N 


EMTS 


EV: 


Objection, 


your Honor. 


12:00 10 
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THE COURT: Sustained. 


BY MR. KOSTO: 


©. What about 


the use of the reverse proxy, what does that 


tell you about these hackers, if not their names? 


A. That they were sophisticated. 


Q. One last exhibit for you, Mr. Uitto. It's Government 


Exhibit 161. It's a 583-page document, but we're going to look 


at just one page, okay? 


THE COURT: You're not introducing the whole thing, 


are you? 


MR. KOSTO: No, we're offering it and we're going to 


refer to page 1] 


. It will never be printed out, your Honor. 


We'd offer 161. 


(Exhi 


bit 161 received into evidence.) 


BY MR. KOSTO: 


12:00 20 


21 


22 


23 


24 


25 


And I'd ask you if you recognize Exhibit 161. 


Yes. 


What is it? 


So this is 


Before you 


a script called Invoke-Mimikatz. 


talk about Invoke-Mimikatz, could you tell us 


which computer it was found on? 


A. This was found on server number 8, the Empire server, the 


hacker -—- one ot 


QO. One of the 


fF their machines. 


hacker computers, oKay. 


What is Mimikatz? 


12:01 10 
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A. So Mimikatz, it is software that can be used to steal 


credentials, which are usernames and passwords. 


O. And so Mimikatz was found where? 


A. The software was found on server number 8. 


MR. KOSTO: Let me ask you, Ms. Lewis, to pull up 


Exhibit 239 on the left from Toppan Merrill. Or the right. 


EBither/or is fine. 


QO. Can you read the date for this log from Toppan Merrill? 


A. So the log line there is January 10, 2019. 


MR. KOSTO: And, Ms. Lewis —- 


Ox Or could I have you read the name of the program that's 


referenced in the log file from the victim computer? 


A. So there's a second line from the top in the center there, 


function Invoke-Mimikatz. 


Q. What is the relationship between the Mimikatz on the 
victim computer and the Mimikatz on the hacking computer? 
A. They both appear to match. 


Q. I have you read the second sentence of the paragraph 


immediately below "Synopsis." 


12:02 20 


21 


22 


23 


24 


25 


A. So in the right-hand one or the let 


QO. Both, in the right-hand one. 


A. Okay. So this script leverages Mimikatz 2.0 and 


7 


Invoke-Reflective PE injection to reflectively 


Q. I'm going to have you skip to the second sentence, the 


in English. 
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1 : Okay. 


2 ‘ Beginning with "This allows." 
3 : "This allows you to do things such as dump credentials 


4 without ever writing the Mimikatz binary to disk." 


5 Q. And looking at Exhibit 161 from the hacker computer, do 


6 you see the same sentence there? 


8 ‘ Is this the exact same program on the hacking computer and 


9 the victim's computer? 
12:02 10 A. Yes:: 


11 . KOSTO: Nothing further. 


12 . NEMTSEV: Can we leave that up? 


13 I Sorry. 


14 Your Honor, could I put next to Mr. Uitto his 


15 THE COURT: I can't hear a word you're saying. 


16 MR. NEMTSEV: Can I put next to Mr. Uitto his expert 


ay report in case he needs to refer to it so I don't have to run 


18 back and forth? 


19 THE COURT: If it's his expert report, that's 


12:03 20 


21 : ive t is. Thank you, your Honor. 


22 CROSS-EXAMINATION 


23 BY MR. NEMTSEV: 


24 Q. Good afternoon, Mr. Uitto. My name is Max MR. N 


25 You and I have never met before, correct? 


Case 1:21-cr-10104-PBS Document 215 Filed 02/21/23 Page 121 of 167 
7-121 


1. A. That's right. 


2 O.. And you just testified regarding the similarities and 


i) potentially the differences between these two programs that 


4 were located, one on the Toppan Merrill server, the other one 


bs on what you called was a hacker server, correct? 


7 : Do you see differences in terms of versions that were 


8 installed -—- I lost it. 


9 I got it back. 


12:04 10 THE COURT: Is the mic not working? 


11 MR. NEMTSEV: No, no, the screen stopped working. 


12 THE COURT: Oh. 


13 BY MR. NEMTSEV: 


14 ‘ Do you see the different versions between Exhibit 161 and 


15 ther exhibit that's on the screen on the right? 


16 : I examined the one on the left. The one on the right, 


£ 


17 I believe, came from evidence. 


18 ‘ But you would agree that they're different versions? 


19 THE COURT: Are you talking about different versions 


12:04 20 of Mimikatz? 


21 MR. NEMTSEV: Yes. 


22 : There is a different version line, Mimikatz Version 2.1, 


23 then there's on the left it's 2016 11/26, and on the 


24 E 1b is 2018 06/716. 


25 : And you would agree that the 2018 and the 2016, that 
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1 refers to the year that it was produced? 


2 A. That's likely the case. 


3 Q. And Mimikatz, to your knowledge, is a public, open-source 


4 program that anyone can download, correct? 


6 ; I believe in your report you referenced a link where 


7 could go right now, open it up on my computer, click the 


8 "download" button, and I would be in possession of Mimikatz, 


9 correct? 


12:05 10 A. Yes. 


11 Ox And Mimikatz is -—- Bialek seems to be the author of 


12 Mimikatz, correct? 


13 A. That's correct. 


14 Q. Could this these are different versions, clearly, 


15 correct? 


16 A. I'd have to see the complete file to see all of the 


17 differences, but there is a different version number in there. 


18 O.. So it's unlikely that the version on the left made it onto 


19 the computers -—- to the Toppan computers on the right? 


12:06 20 A. I did not examine the computers on the right, so the 


21 Toppan Merrill computers. I only examined the virtual servers, 


22 so 


23 THE COURT: You only looked at the so-called hacker 
24 computers? 


25 THE WITNESS: That's correct. 
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i THE COURT: You didn't look at Toppan Merrill's? 


2 THE WITNESS: That's correct. 


3 BY MR. NEMTSEV: 


4 O.. And you looked at it to identify connections, correct, 
5 between the two computers? 


6 A. There was logs that detailed connections between the two. 


. Q. Did those logs show you what files were downloaded, when 


8 they were downloaded? 


9 A. In some cases, yes. 


12:06 10 Q.. Did they show you when and at what time, for example, 


11 earnings reports were downloaded? 


12 A. I did not come across that during my examination. 


13 O% Did you see any evidence that earnings reports were 


14 downloaded through the use of these servers? 


15 A. I did not come across that either. 


16 Q. And this is despite a significant amount of effort being 


LS) spent on your part to analyze these nine servers, correct? 


18 A. I spent a lot of time examining these, yes. 


19 Oz In fact, you produced a 136-page report outlining your 
12:07 20 findings? 


21 A. Yes. 


22 Q. And one of the requests from Special Agent Hitchcock was 
23 to determine who was operating these servers; is that correct? 


24 A. 


25 Q. And were you able to ascertain who operated these servers? 
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al : I didn't identify who, but I found a lot of IP addresses, 


2 I found information that -- some of the information we know 


3 about them, I guess. 


4 Or You have no knowledge whether Mr. Klyushin, for example, 


5 used any of the IP addresses that are associated with these 


6 servers, do you? 


i A. That was not my involvement. I provided Agent 
8 Hitchcock —--— 
9 THE COURT: Can you answer that "yes" or "no"? 


12:07 10 THE WITNESS: No. 


1] BY MR. NEMTSEV: 


12 Q. You testified to other programs, I believe, that were 


13 located on the server. One was PuTTY, correct? 


is) ‘ Another one was NGINX, correct? 


16 : So PuTTY -—- yeah, it was downloaded and NGINX, yes, was 


17 running on those machines, eight of the nine. 


18 Q. And PowerShell Empire you testified to, correct? 


19 A. 


12:08 20 Q. And am I correct that all of that software is publicly 


21 available, open source, easily downloadable? 
22 A. 


23 Q. And its existence on a system does not necessarily 


24 indicate that it was a compromised or an infected computer, 


25 correct? 
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1 A. Well, I have log files that show that it was from infected 


2 machines and -- 


3 < testified that a file was renamed, did you not? 


5 < testified that, in your opinion, it was done in order 


6 to hide the program that was located within the file? 


8 : Is it your testimony that antivirus programs look at the 


9 name rather than the code of a program to determine whether 


12:09 10 it's malware or not? 


11 : I believe are you asking about PuTTY? 


12 : I'm asking about the file that was renamed, I believe it 


14 : The migrate.exe? 
15 : Potentially. 


16 : Yes. So migrate.exe, that was PuTTY, and PuTTY is not 


17 classified by Microsoft as malware. So Windows Defender is the 


18 default malware-scanning engine that's on most Windows 


19 operating systems, and it does not recognize PuTTY as malware. 


12:09 20 Q. You would agree that a sophisticated actor, the way you 


21 phrase it, would know that Windows Defender doesn't identify 


22 this specific program, PuTTY, as malware? 


23 A. They would know that. That was used to create a secure 


24 tunnel from the victim machine out to one of the hacker 


25 machines. 
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1 Q. And you would agree that if it's not identified as malware 


2 by Microsoft, for example, you wouldn't necessarily need to 


3 rename it in order to hide its origins or what it is? 


4 A. Well, there may be system administrators that are looking 


5 at these log files, like the one on the right, and they -- if 


6 they see PuTTY running, for instance, that could raise 


7 suspicion. If they, for instance, aren't running Linux servers 


8 in their environment -- and I don't know all of the details of 


9 it, but —- of the victim environment, but if it's a Windows 


12:10 10 environment and they see PuTTY running and they don't have any 


11 Linux or SSH servers, then that could potentially raise some 
12 concern from the sys admin. 

13 Q. You also testified that you don't know what the Toppan 

14 Merrill administrators and what servers and what programs they 


is) were running, correct? 


16 : I don't know the details of their environment. 


17 : You did not examine Toppan Merrill's service, correct? 


18 : I did not. I only examined the nine servers that I had. 


19 Ox Sir, isn't it a fact that certain of the files that you 


12:11 20 located and identified in your report originated from 2016? 


£ 


21 A. Which ones are you referring to? 


22 Q. Well, for example, 161 is an exhibit. It's a version of 


23 Mimikatz that was identified from 2016 -- November 26, 2016; is 


24 that correct? 


25 A. Well, that may be when the developer wrote the code, not 
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1 necessarily when it was downloaded or set up or installed on 


2 the server number 8. 


3 Q. Could you please take a look at page 60 of your report. 


4 (Pause.) 


5 A. Okay. I have it open here. 


6 Q. Yes, of course. I don't expect you to memorize 136 pages 


7 of log files. 


8 Am I correct that this is a printout of what you 


9 located on the C drive and program data? 


12:12 10 ; This is one of the agent logs from server number 8. 


11 ; This is one of the agent logs? 
12 : So it's a log regarding one of the victim machines. 


13 : So the data in C -—- drive C program data that relates to 


14 data located on Toppan Merrill's server or the server of the 


15 hackers? 


16 A. So this log file came from the hacker server, but it's 


17 about information in the victim computer. 


18 : Can you turn to page 51, please. 


19 : Okay. I'm on page 51. 


12:13 20 ; Is my understanding correct that that is a file associated 


21 with the information of the computer that was potentially 


22 hacked belonging to Toppan Merrill? 
23 A. Yes, it was identified on server number 8, and it is 


24 logged information from a victim machine. 


25 Q. Do you see it says, "Original install date, August 4, 
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1 2016, 2:45 p.m."? 


2 A. I'm looking for that line. One moment here. 


3 Q. It's two or three -- 


4 THE COURT: Is it on the monitor? 


5 MR. KOSTO: This isn't in evidence, your Honor. 


6 MR. NEMTSEV: This is from his report, your Honor. 


7 THE COURT: I see. 


8 (Pause.) 


9 . Which location in the page is it? 


12:14 10 : It's in the middle of the page, if you see -—- if you 


11 -—- do you see where Merrill Corporation, registered owner? 


12 ; Let's see. I see registered organization, Merrill Corp. 


13 Communications. 


14 . Yes. And then two lines down, original install date? 


iS) : Yes, I see that. 


16 : And it refers to a date, August 4, 2016; is that correct? 


17 : Yes, this appears to be information about the Windows 


18 operating system install date, not the malware install date. 


19 QO: At least the system itself was around since 2016, correct? 


12:15 20 A. With the install date of Microsoft Windows, it appears to 


21 be, according to this log, August 4, 2016. So that was likely 
22 set up by probably an assist admin at the victim company, not 
23 the hackers. 


24 QO. Understood. 


25 A. They installed Windows. 
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i MR. NEMTSEV: Nothing further, your Honor. 


2 MR. KOSTO: Very briefly. 


3 THE COURT: Why don't you ask from your —- well, if 


4 it's just a few questions. 


5 MR. KOSTO: If that's okay, your Honor. From here? 


6 THE COURT: Yeah, if it's just a couple of questions. 


7 REDIRECT EXAMINATION 


8 BY MR. KOSTO: 


9 Q. You told Mr. Nemtsev that Mimikatz, PowerShell, and some 
12:16 10 of the other programs you referred to are able to be downloaded 
‘Lal publicly; is that right? 
12 A. 


13 Q. Just because a program is —- like Mimikatz can be 


14 downloaded publicly, can it be used to steal passwords? 


15 A. Yes. 


16 Q. Is it allowable to use it to steal passwords? 


17 MR. NEMTSEV: Objection. 


18 THE COURT: Sustained. 


19 BY MR. KOSTO: 


12:16 20 Q. Do system administrators permit the use of Mimikatz to 


21 steal their passwords from their network? 


22 MR. NEMTSEV: Objection. 


23 THE COURT: Sustained. 


24 : I would say -- 


25 THE COURT: Sustained. You've got to listen to me. 
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1 I've agreed with the objection, so you can't answer. 


2 BY MR. KOSTO: 


3 Q. Mr. Uitto, are you familiar with the concept of 


4 filtration? 


3 F Yes. 


6 . Big word, but what does it mean? 


7 2 It means to steal data, take data. 


8 : And in your review, did you find evidence you told Mr. 


9 Nemtsev you didn't find evidence of the taking of data from the 


12:17 10 victim computers to these particular hacker servers; is that 


1] right? 


12 A. That's right, but I did see secure tunnels that 


13 created. 


14 Q. So when you say there were secure tunnels, were 


15 to tell what was going through those secure tunnels? 
16 : No. 
ay ‘ Those were encrypted, 


18 : Yes. 


19 ‘ So you actually don't know whether or not there 


12:17 20 financial information in those tunnels? 


21 : That's correct. 
22 : Or sports scores or anything? 


23 : That's correct. 


24 ‘ It's encrypted. 


25 . Yes. 
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i : And why is it encrypted? 


2 MR. NEMTSEV: Objection. 


3 BY MR. KOSTO: 


4 Ou What role does encryption serve in this hacker 


5 architecture? 


6 MR. NEMTSEV: Objection. 


7 THE COURT: Overruled. 


8 : So I can answer? 

9 ; Yes. 
12:17 10 : Yes, so it can be used to hide data or information. 
11 : So if it's encrypted, we can't know what's being passed? 
12 ; That's correct. 


13 MR. KOSTO: Nothing further. 


14 MR. NEMTSEV: A couple of questions. 


15 Can I do it from here? 


16 THE COURT: Right there. 


LS) RECROSS—-EXAM 


18 BY MR. NEMTSEV: 


19 Q. Isn't encryption a common security feature as well? 
12:18 20 A. Yes, it's built into a lot of software these days. 


21 Q. And system administrators obviously care about protecting 


22 their data, and they would use encryption, by themselves, to 
23 make sure that that data doesn't get out? 
24 A. That's correct. 


25 Q. And it's a common feature, we probably have it on our 
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ac phones, our computers, correct? 


2 A. Yes, but I guess the usage that we see here with the 
3 migrate.exe, this was not run by the sys admin, it was run by a 


4 hacker. 


5 THE COURT: I can't hear a word you're saying. 


6 A. So the migrate.exe, the one that we looked at earlier, it 


7 was not run by a system administrator. It was run by one of 


8 the attackers. 


9 Q. And what they took out or put in, you don't know, correct? 


12:18 10 A. I don't know the contents. 


11 MR. NEMTSEV: Thank you. 


12 THE COURT: Thank you. 

13 Thank you. 

14 Who's the next witness? 

15 You can step down. Thank you, sir. 

16 MR. KOSTO: Vincent Kenney for -—- the United States 


ay calls Vincent Kenney, your Honor. 


18 May I take down the chalk? 


19 THE COURT: Yes. And you'll get me a copy? 


12:19 20 MR. KOSTO: Yes. 


21 VINCENT KENNEY, having been duly sworn by the Clerk, 


22 was examined and testified as follows: 


23 THE CLERK: You can be seated. 


24 Could you please state and spell your last name for 


25 the record. 


12:19 10 


12:20 20 


21 


22 


23 


24 


25 
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[TNESS: My last name is Kenney, and it's spelled 


ank you. 


BY MR. KOSTO: 


Good afternoon, Mr. Kenney. 


Good afternoon. 


Where do you work, sir? 


I work for the Federal |] 


Lake City Division. 


Investigation for the 


Will you pull that mic nice and close? 


[ will. Is that good? 


What division? 


The Salt Lake City Division. 


And what do you do for 


Is that something you st 


Pt? 28.3 


the F 


I'm a computer scientist 


tudied in school? 


And do you have a Bachelor of Science degree? 


Edo: 


And when did you get that degree? 


In 2013. 


Where did you first work out of college? 


I worked for the Boeing 


Company as a software engineer. 


The airplane manufacturer? 
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al THE COURT: You need to lean into that mic. Lean in, 


2 as they say. 


Si THE WITNESS: Okay, get nice and close. 


4 BY MR. KOSTO: 


5 ‘ You said Boeing. Is that the aircraft manufacturer? 


6 : It is. 


7 : And how long did you work at Boeing? 
8 : For two-and-a-half years. 


9 : After that what did you do? 


12:20 10 ‘ I started my employment with the FBI. 


11 , And so how long have you been at the F as a computer 


12 scientist? 


13 3 Since October of 2015. 


14 : there in Salt Lake, are you assigned to a particular 


15 t deals with virtual currency? 


16 ‘ IT am. I'm a member of the FBI's Virtual Currency Response 


18 ‘ What is the Virtual Currency Response Team? 


19 : It's a collection of individuals in the FBI that are 


12:21 20 subject matter experts in the area of virtual currencies. 


21 Q. And as part of your work, do you analyze virtual currency 


22 transactions? 


23 A. I do. 


24 Q. And do you provide training on cryptocurrency or virtual 


25 currency to folks in the FBI? 
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al : I do. 


2 ‘ Do you provide trainings outside the F 


3 F I do. 


4 ‘ Have you received any recognitions in relation to your 


5 in virtual currency, digital currency? 


6 : I have. 


. : Specifically what? 


8 : I was recognized by the assistant director of the FBI 


9 Criminal Investigation Division in 2020. 


12:21 10 ; For what, specifically? 


11 : For my work in the area of virtual currencies. 


12 : How long have you been working in virtual currencies? 


13 : I've been working since 2015. 


14 ; And the Virtual Currency Response Team, when was that 


15 established? 
16 A. That was established in early 2020. 
17 Q. How many different investigations have you worked on 


18 related to virtual currencies? 


£ 


19 : Numerous different investigations. 


12:22 20 : Can you describe the different types? 
21 : Yes. They've been computer intrusions, they've been just 


22 traditional white-collar crime cases, such as Ponzi schemes, 


23 and other different types of white-collar crime cases. 


24 Q. Have you testified in criminal cases regarding 


25 cryptocurrency transactions? 


12:22 10 


12:23 20 


21 


22 


23 


24 


25 
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Have you testified as an expert in those cases? 


I have. 


MR. KOSTO: Your Honor, we'd offer Mr. Kenney pursuant 


to Rule 702. 


THE COURT: He may offer an opinion. 


BY MR. KOSTO: 


Q. Let's start with a very basic question, Mr. Kenney. 


In a sentence, what is virtual currency? 


Virtual currency is simply a digital currency. 


And what is the most well-known digital currency? 


Most well-known one is Bitcoin. 


And has your work in this case related to Bitcoin? 


It has. 


Let's use 


okay? 


Bitcoin as an example to explain some of this 


Bitcoin's a digital currency, virtual currency? 


use those terms to mean the same thing? 


Generally interchangeable. 


THE COURT: What does digital currency mean? 


MR. KOSTO: That was my next question. 


THE COURT: All right. I just need baby steps, walk 


BY MR. KOSTO: 


us through this. 
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1 ©. What is digital currency, Mr. Kenney? 


2 A. Yes. Digital currency is simply digital value that's used 
i) to buy or sell a service. 


4 ‘ So is it dollars? 


5 “ It's not dollars; it's digital dollars, digital value. 


6 : Is it associated with any particular country? 


7 P It is not. 


8 : Is it backed by any particular government? 


9 : No, it's not. 


12:23 10 : Why does digital currency -- or why does Bitcoin have 


11 value at all? Well, before I ask you that, what can you do 


12 with digital currency? 


13 A. You can use digital currency to buy goods and services 


14 over the internet or other different places that accept that 


LS digital currency. 


£ 


I had Bitcoin and I wanted to rent a 


16 Q. So, for example, ij 


17 domain, could I use digital currency to do that? 


18 A. You could use digital currency to purchase the renting and 


19 buying of that domain. 


12:24 20 : ld I do it at a company like Namecheap? 


21 : You could. 
22 Q. Are there banks that help people turn dollars into 


23 Bitcoin? 


24 A. There are. 


25 Q. And are there banks that help people turn Bitcoin into 
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al. dollars? 


2 : There are. 


3 ‘ Okay. So digital currency is just information, right? 
4 : Just digital value. 


5 : Can I hold it in my hand? 


6 : No, you cannot. 


7 ; Where is it? Where is it stored? 


8 : It's stored on the internet, and it's stored on a ledger. 
9 ‘ What's the name of that ledger? 
12:24 10 : That is a blockchain. 


11 - We'll come back to blockchain in a second. 


12 But let's say I am wanting some Bitcoin, I want to 


13 rent a domain at Namecheap. Can you define two terms for us? 


14 The first of them is, are you familiar with the term "digital 


15 wallet"? 


16 A. I am. 


ay Q. And so I've got a wallet in my back pocket. 


18 digital wallet different from this one? 


19 A. A digital wallet is stored on a digital device such as a 


12:25 20 cell phone or a computer or some other device that accepts 


21 wallet software. 


22 Q. And so is it fair to say that a digital wallet is a place 


23 that you can store cryptocurrency? 


24 A. It is. 


25 Q. Or Bitcoin? 
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al A. Or Bitcoin. 


2 Q. So I need a digital wallet to be able to spend Bitcoin or 


3 receive Bitcoin? 


4 A. To receive it, correct. 


5 on There's one other term here. What about a Bitcoin 


6 address, what is that? 


7 A. Yeah, so a Bitcoin address is a public address that stores 


8 the value of the cryptocurrency of the Bitcoin that you have. 


9 : What's the real-world comparison to a Bitcoin address? 


12:25 10 : it looks just like simple letters and numbers that are 


11 f put together. 


12 < [ it like an account number for Bitcoin? 


13 : It's kind of like an account number, yes. 


14 Q. So if I have an address, can I use that address to send 


15 and receive Bitcoin? 


16 A. If you have an address, you can send Bitcoin from that 


17 address if there's value in it, and you can receive Bitcoin to 


18 that address. 


19 ‘ How many different addresses can I have? 


12:26 20 2 You can have thousands of different addresses. 


21 : And where would I keep all of my addresses to keep them 


22 organized? 


23 A. You would keep that in a digital wallet. 


24 Q. Okay. So my Bitcoin addresses where I keep the Bitcoin 


25 can go in a digital wallet? 
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al A. Correct. 


2 Q. And the digital wallet is software that helps me organize 


3 and spend my digital currency? 


4 : That's correct. 


5 : Are we good so 


6 : We're good. 


. ; Let's say I'm a person who now has a wallet and I have an 


8 address but I don't have any Bitcoin. What do I need to do to 
9 get it? 
12:26 10 A. You would need to give your address to an individual that 
‘lal has cryptocurrency or has Bitcoin, and they would send value to 


12 that address. 


13 : I don't have any Bitcoin, but if you gave me your address 


14 I had an address, I could arrange to send it? 


15 A. Yes. If you gave me your address and I had Bitcoin, 
16 could send Bitcoin to your address. 
17 Q. Okay. And how do you prove that you own the Bitcoin if 


18 you can't hold it in your hand and it's all going on up here 


19 the air? 


12:27 20 A. So the digital wallet contains your private key that's 


21 associated with that address. 
22 Ox All right. So that's a new term. 


23 What's a private key, and how does it relate to the 


24 Bitcoin in my address, in my wallet? 


25 A. So a private key is used to prove you are the owner of 


Case 1:21-cr-10104-PBS Document 215 Filed 02/21/23 Page 141 of 167 
7-141 


al address, of the Bitcoin address. 


2 ‘ Is it like a password for the wallet? 


3 ; It's similar to a password, yes. 


4 ‘ And let's say I lose my password to my wallet and address. 


5 : If you can't recover that password and you lose it, then 


6 you lose access to that -- those funds in that address. 


. Q. But if I have the private key, if I have the password, 


8 what can I do with the Bitcoin in my wallet? 


9 A. can prove that you're the owner of the Bitcoin and 


£ 


12:28 10 that address, and therefore, spend the funds from that address. 


£ 


amiliar with the 


11 Q. I believe you testified that you're 


12 company Namecheap? 


13 : IT am. 

14 ; What can one do at Namecheap? 

15 : An individual can purchase domain names at Namecheap. 
16 : Can customers use Bitcoin from their own wallets to 
LS] purchase domains at Namecheap? 


18 A. They can use Bitcoin to purchase domains at Namecheap. 


19 Ox One last concept to cover before we dig into your 


12:28 20 analysis, Mr. Kenney. 


21 You mentioned the blockchain. What is the blockchain? 


22 A. The blockchain is a public record that stores all 


23 transactions that are made on the Bitcoin network. 


24 QO. So if I sent you a Bitcoin, if I were so lucky as to have 


25 one, would it go to the blockchain -- or the record would go to 


12:29 10 


12:29 20 


21 


22 


23 


24 


25 
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the blockchain? 


A. 


Q. 


The record of that transaction would go to the blockchain. 


And if you sent it on to Mr. Nemtsev, would that record go 


to the blockchain? 


A. 


Q. 


It would. 


And if Mr. MR. NEMTSEV sent it on to the Court, would that 


record go to the blockchain? 


A. 


Q. 


All records go to the blockchain. 


So it's kind of like a bank statement for all the Bitcoin 


transactions? 


A. 


Q. 


That's publicly available. 


And so from the beginning of Bitcoin, all the way back, 


how many transactions are in the blockchain? 


A. 


Q. 


Millions of them. 


And maybe, I don't know, how many per month get generated 


on the Bitcoin blockchain? 


Hundreds of thousands. 


And how many blockchains are there for Bitcoin? 
There is one. 


Are there other virtual or digital currencies out there? 


There are. 


Do they all have their own blockchains? 


They do. 


And so what's the benefit of having this blockchain out 


there that you can look at? 


12:30 10 


12:30 20 


21 


22 


23 


24 


25 
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It acts as a public record, so, therefore, people can 


firm that -- an individual who owns cryptocurrency, they can 


firm that information because it's publicly available. 


you have access to the blockchain, which we all do, 


what can you do when you've identified a particular virtual 


currency address in one of your cases? 


A. 


or received 


Q. 


You can look up to see where that address has been spent 


funds. 


So you're looking in the blockchain to see what you can 


learn about that transaction? 


Correct. 


Can 


No, 


search 


you cann 


Vincent Kenn 


No, 


you cann 


What can you 


the blockchain by name? 

ol == 

ey, for example? 

ot search it by a person's name. 


search it by? 


You can search it by the address or the transaction hash 


for that unigue transaction. 


Q. 


So that's a new term. So if I have your address, 


in and look for i 


A. 


Q. 


t in the blockchain? 


Correct. 


THE COURT: An IP address? 


THE WITNESS: You won't need an IP address. 


BY MR. KOSTO: 


When we say 


"address," we're referring to the Bitcoin 
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al. address? 
2 A. That's correct. 


3 THE COURT: The Bitcoin address, not the 


4 THE WITNESS: Correct. 


5 BY MR. KOSTO: 


6 ; And that's a long series of letters and numbers? 


7 2 Numbers and letters, yeah. 
8 Q. How many letters and numbers go in each Bitcoin address? 


9 We're going to see a bunch. 


12:31 10 ; Yeah, approximately 24. 

11 ‘ And that's the account number? 

12 : That's the public address, correct. That's the account. 
13 ; And so you can go into the blockchain and look for these 
14 addresses to try to trace the transactions? 


15 A. Correct. 


16 : Did you do some analysis regarding Bitcoin transactions in 


Ly case? 


18 . I did. 


19 : And which transactions did you analyze? 


12:31 20 : I looked at three transactions that correspond to the 


21 purchasing of domains from Namecheap. 


22 Q. And of the three transactions that you looked at, what is 


23 the first and last name of the customer associated with the 


24 first transaction? 


25 A. So the first and last name is Andrea Neumann. 
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1 ‘ And was there an email address for that person? 
2 ‘ There was. 
3 ‘ What was it? 


4 : neumann@dr.com. 


5 : I'm showing you Government's Exhibit 173B in evidence at 


7 Do you recognize this document? 


8 : I do. 


9 And what is it? 


12:32 10 ; This is the Namecheap record. 

11 : And who is the first name, last name, and email for this 
12 particular account? 

13 A. Andrea Neumann, and the email is neumann@dr.com. 

14 Q. So this is one of the domain accounts that you were asked 


15 to analyze in this case; is that right? 


16 A. Correct. 


ay ©, Let me take you to page 4 of this Namecheap record. 


18 In the bottom row of the page entitled "Transaction 


19 Review," could you share with us what we are looking at? 


12:32 20 A. Yeah, you're looking at the purchasing record of 


21 information from Namecheap. 


22 Q. So who bought what from Namecheap? 
23 A. So Andrea Neumann purchased domains from Namecheap. 


24 Q. And are you able to tell, looking at this record, how 


25 Andrea Neumann, or the Andrea Neumann subscriber, purchased 
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alt domains? 


2 e [ am. 


3 : How do you know? 


4 : I know because in the fourth column, the transaction type, 


5 I see that they were purchased through a service called BitPay. 
6 Q. Okay. So we haven't heard BitPay before. What is BitPay, 


7 and how does that tell you that this is a purchase? 


8 A. BitPay is a payment processor for cryptocurrencies. 


9 Q. And what does BitPay -- what role does BitPay play in the 


12:33 10 digital currency environment? 


11 A. So they act on behalf of their customer, Namecheap, to 


12 receive payment for the domain names or a good or service, and 


13 then they act kind of in the middle between Namecheap and the 


14 customer. 


15 : L£ I went to Namecheap to buy a domain, could I 


16 Mastercard? 


Ly : You could. 


18 . Could I use Visa? 


19 You could. 


12:33 20 : Could I use Bitcoin? 


21 F You could. 


22 ‘ Okay. And if I used Bitcoin to get something from 


23 Namecheap, what company would be involved? 


24 A. It would go through BitPay. 


25 QO. Let me point you, in Exhibit 173B, to the column that says 
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al "CC Transaction 


2 Do you see it there? 


3 F I do. 


4 ‘ What is that transaction ID in the row related to BitPay? 


5 : That is the unique transaction ID that corresponds to the 


6 purchasing of cryptocurrencies through BitPay. 


. Q. Can I have you read the first four or five letters of 


8 transaction ID? 


9 A. It's 44L6. 


12:34 10 : And the 44L6 transaction, what date did it take place? 


11 : It took place on August 15, 2018. 


12 Q. And do you know whether the government obtained BitPay 


13 records related to the transaction that you've been describing 


14 on August 15, 2018? 


iS) . I do. 


16 : And where did the government get them? 


17 : They got them from BitPay. 


18 : So do you recognize —- 


19 MR. KOSTO: Could we have Government Exhibit 181 


12:35 20 evidence, please. 


21 : Do you recognize Government's Exhibit 181? 


22 . I do. 


23 F And what is it? 


24 : This is the records that came back from BitPay. 


25 : And directing you to row 2 and Column A, can I have you 


Case 1:21-cr-10104-PBS Document 215 Filed 02/21/23 Page 148 of 167 


7-148 


al: the email address there? 


2 ‘ That is neumann@dr.com. 


3 ‘ Is that the same email account we've been talking about 


4 for the last few minutes? 


5 A. Tt is: 


6 Q. And what is the date of the transaction in BitPay's 


7 records for the neumann@dr.com transaction? 


8 A. August 15, 2018. 


9 Q. And can I have you read the first few characters of the 


12:35 10 string of letters and numbers in column H? 
11 : Yes, that is 44L6. 
12 : And do you recognize that from anywhere? 


13 : I do. 


14 - Where did that number come from? 


15 : That came from the previous record, the Namecheap record. 


16 : So do we know that we're talking about the Namecheap 


LS} transaction involving Andrea Neumann here? 


18 A. That's correct. 


19 Q. What is in column C of row 2 of Exhibit 181, the ] 


12:36 20 record? 
21 : That is BitPay's public address. 


22 : And can you just give us the first four letters of it? 


23 . 1UFS. 


24 : Now, are BitPay addresses usually unique enough that you 


25 can read the first three or four letters and be pretty 
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1 confident that you're talking about the same wallet? 

2 ‘ Yes. 

3 : So we don't have to read all 26 letters every time? 
4 : No, we don't. 


bs s So about this 1JFS record, whose address is that? 


6 : This is BitPay's address. 


7 : And is this where BitPay receives its payment? 


8 . It is. 


9 : Is this kind of similar to BitPay's cash register at the 


12:36 10 front of the store? 


11 A. Pretty much, yeah. 
12 Q. So does BitPay receive a lot of payments, potentially, 
13 into this one? 


14 A. It could. 


15 On Okay. And what did you do once you had an address that 
16 was used to pay BitPay -- or you had the address that BitPay 


17 got paid at. What was your next step in your analysis? 


18 A. My next step was to see that on the blockchain. 


19 Q. And why were you looking on the blockchain? What were you 


Sse 


12:37 20 trying to figure out? 


21 A. I wanted to see who the sender of -- who the sender was 


22 sending funds into this BitPay address. 


23 Q. So who paid for Andrea Neumann's domain? 


24 A. Correct. 


25 Q. And can you tell the jury -- what's that process called? 


12:37 10 
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That process is called blockchain analysis. 


Going to that public ledger? 


Correct. 


Can you tell the jury in general terms how you start that 


analysis once you have an address that you want to know 


something about 


A. You'll take the address and you'll put it into a block 


explorer. 


Q. What is a block explorer? 


A. So a block 


explorer is an easier way to view these 


different transactions on a blockchain. 


A way of looking up on the blockchain to find information? 


Correct. 


Q. And in your experience, have you found the information in 


block explorer 


Bitcoin transact 


12:38 20 


21 


22 


23 


24 


25 


to be a reliable place to find information about 


tions? 


A. Yes, I have. 


Q. And how do 


you know that it's accurate, using the block 


explorer instead of the blockchain itself? 


A. Because I've actually downloaded the full Bitcoin 


blockchain and confirmed this information. 


OQ. God bless you. 


Did you prepare an illustration in connection with 


your testimony today? 


A. I did. 
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1 Q. And I showing you Government's Exhibit 189, just 


2 witness, i I can do that -- I can't do that. 


Si CLERK: Can you hand it to him on paper? 


4 CQ : Paper? 


5 MR. KOSTO: This is Bitcoin testimony. We're not 


6 going to use paper. 


7 May I approach the witness? 


8 THE COURT: Yes. 


9 (Discussion off the record.) 


12:38 10 BY MR. KOSTO: 


ala Q. Mr. Kenney, do you recognize Government's Exhibit 189? 


12 A. TI do. 


13 Q. Would it assist you in explaining the Bitcoin tracing you 


14 conducted? 


15 A. It would. 


16 MR. KOSTO: I'd offer it and ask that it be published 


17 to the jury, at least page 1 of it. 


18 THE COURT: I haven't seen it. Any objection? 


19 MR. NEMTSEV: No objection, your Honor. 


12:39 20 THE COURT: All right. 


21 (Exhibit 189 received into evidence.) 


22 BY MR. KOSTO: 


23 : We're here at page 1, Mr. Kenney; is that right? 


24 : That's correct. 


25 : And you've testified that you looked at a series 
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i Namecheap transactions in your analysis; is that right? 


2 A. Correct. 


3 Q. And are the three columns -—-- what are the three columns on 


4 page 1 of your illustration? 


5 A. These are the three different accounts that are associated 


6 with these transactions. 
. Q. And so we —-- let's look at Namecheap domain 1, that 
8 column. Can you read the buyer email? 
9 : The buyer email is neumann@dr.com. 
12:39 10 : And can you read the transaction date? 
11 : Transaction date is August 15, 2018. 
12 : And so this is the transaction that purchased from 
13 Namecheap on the Neumann account, correct? 
14 A. Correct. 
15 O- And so can you share, in general terms, starting with that 
16 data point, what you were trying to show or determine with your 


17 analysis? 


18 A. I was trying to show a relationship between these three 


19 different accounts. 

12:40 20 Q. Can you go ahead and read the three accounts out loud, 
21 just from the starters? We'll get to each of them in turn, 
22 you've read namecheap@dr.com. What's the next one? 
23 A. The next one is kavin.sspender@mail.com. 
24 Q. And what's the third account that you were trying to 


25 determine if there was a connection to? 
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al . The third account is wan-connie909@inbox.lv. 


2 ‘ And why did you look at these three accounts? 


3 : Because these were the three accounts that were given to 


5 : If we could move to the next step of your process on page 


6 your illustration. 


7 What was the first thing you did? 


8 ‘ The first thing I did was I took that BitPay address that 


£ 


our earlier records -- 


9 we Saw in one o 


12:40 10 : Is that the 1JFS? 


11 : That is. 
12 : At the bottom right of your illustration? 
13 : Correct. 


14 ‘ Okay. And what did you do when you took that address? 


15 : I put that into a public block explorer. 
16 ‘ And why did you go to the block explorer with the 1JFS 


Ly address? 


18 : Because I wanted to see the address that sent funds to it. 


19 : And that's your starting point? 
12:41 20 : That is my starting point. 
21 : And so let's go to page 3 of your illustration. 


22 This is a little different. We've got -- is this from 


23 the block explorer? 


24 A. This is from the blockchain.com block explorer, correct. 


25 Q. We've got two blue boxes on this chart, right? 
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al 7 Mm—-hmm. 


2 ‘ What is the blue box on the right? 


3 A. The blue box on the right is the BitPay address, the 


4 familiar 1JFS address. 


5 MR. KOSTO: Ms. Lewis, can you blow up the first few 


6 characters of the box on the right. 
7 is So we have that there, the 1JFS. 


8 : Correct. 


9 : That's the one you're trying to figure out who paid f 
12:41 10 
11 : Correct. 
12 : And you went to the block explorer to do that? 


13 : 1 -did. 


14 : And so that's the blue box on the right. 


15 What's the blue box on the left? 


16 - The blue box on the left is the sender. 


ay ‘ This is the payer? 


18 : This is the person who paid. 


19 : Can you read the first few characters of the payer's 


12:42 20 ] in address? 


21 é Tt's 14KP. 


22 Q. Okay. Do we have a date for this transaction from the 
23 blockchain explorer? 
24 A. There is. 


25 Q. And what is it? 
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al : It is August 15, 2018. 


2 ‘ Do you recognize that date? 
S . I do. 


4 : Is it the same date from the Namecheap records? 


5 : It is. 
6 : So we know we're talking about the same transaction here? 


7 F Correct. 


8 ‘ Okay. And I want to direct you to the yellow highlighting 


9 in page 3 of your illustration. 


12:42 10 Do you see it there? 


de. : I do. 


12 MR. KOSTO: Could we have it a little bigger, please, 


13 . Lewis. Thank you. 


14 : Okay. We're looking at a long string here. Could you 


15 the first five characters? 


16 é Yes. It's 1LJMCC. 


17 : And what is 1JMCC? That's a new address, we haven't seen 


18 before. 


19 ; It is. 


12:43 20 . What is it? 


21 : It is the change from the sender for this transaction. 


22 : What do you mean "the change"? 


23 3 So when funds are sent from one Bitcoin address to another 


24 Bitcoin address, the remainder of the funds are put into a new 


25 address called the change address. 
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i Q. So if I go to Target to buy something and I put my credit 


2 card down for a $15 item, or hand over $20 cash, I get change 


3 to me, right? 


4 A. If you used a credit card, you wouldn't get any change. 


5 If you used cash, you might get some change. 


6 Q. So why is Bitcoin -—- if I sent $20 in Bitcoin, why am I 


7 getting change? Why can't I just send $15 in Bitcoin? 


8 A. This is the nature of how the Bitcoin protocol works. It 


9 will move funds to this unspent address, and it's referred to 


12:43 10 as the change address. 


11 Q. So if we can go back to page 3, if we have a total amount 


12 of Bitcoin, it all has to go, right? 


13 A. It all goes into the change address. 


14 Q. Some of it goes to pay for whatever you're buying, the 


15 rest of it goes to the change address? 


16 A. Correct. 


ay Q. And one more time, what is the change address that the 


18 change from the Andrea Neumann transaction went? 


19 A. The change, exact change, is 0.0056. 
12:44 20 : That's over there on the right? 
21 : Yes. 
22 : That tells you how much change the address got? 
23 : Correct. 
24 ; And which address got the change? 


25 . The 1LJMCC address. 


12:45 10 


12:45 20 


21 


22 


23 


24 


25 
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Q. When you're tracing Bit 


wallet that paid for somethi 


change excuse me, the add 


the address that got the cha 


A. So I can say that the a 


received the change, it's ow 


anew ong 


Even though it's a di 


q-Lo7 


coin, what can you say about the 


ng and the wallet that got the 


ress that paid for something and 


nge? 


ddress that paid for things, if 


ned by the same owner. 


erent address? 


Even though it's a diff 


erent address. 


Because the change goes 


to an entirely new address, right? 


new address. 


It goes to an entirely 


change -- 


Are the same person. 


-—- go together? 


Correct. 


THE COURT: How muc 


MR. KOSTO: We'll f 


But the sender of the money and the recipient of the 


h longer do you think you have? 


THE COURT: You'll 


inish by 1:00, your Honor. 


£ 


inish yours by 1:00? 


MR. KOSTO: Yes. Yes. 


BY MR. KOSTO: 


Q. So in this particular c 


there more change? 
A. There was more change. 


Oz And what date did the c 


A. Same date of August 15, 


ase, was there more payment or was 


hange transaction occur on? 


2018. 
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1 ‘ That's the Neumann purchase date, right? 
2 ‘ That's correct. 
3 : So the change happens on the same day as the transaction? 


4 : Correct. 


5 : So now you have a change address from the Neumann 
6 purchase, right? 

7 : Correct. 

8 : What's the next step in your analysis? 


9 , My next step to see is where was the change spent. 


12:45 10 : Let's look at Exhibit -- or page 4 of your illustration 
11 for a little recap here. 

12 What is page 4 showing? 

13 : This is a recap of an earlier slide that simply shows me 


14 tarting out with that familiar 1JUFS BitPay address and tracing 


iS) it backwards to see who was the sender. 


16 : So that was the wallet number 1 here? 


Ly 7 Correct. 


18 Q. Okay. And let's adda little complexity here. Go to the 


19 next page of your illustration. 
12:46 20 What have we added to the picture? 


21 A. So in this illustration, we've added the fact that there 


22 is a change address for the remainder of the funds. That is 


23 address number 2. 


24 Q. So how, in plain English, would you describe the contents 


25 of wallet number 2 at the left of your picture? 
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a A. That is the remainder of the funds that the individual who 
2 owned wallet number 1 has been pushed into wallet number 2. 


3 Q. And it's the change from what transaction? 


4 A. It is the change from the transaction of Andrea Neumann 


5 for the BitPay purchase. 


6 Q. At page 6 of the illustration, how did you continue your 


7 analysis? 


8 A. I wanted to see where the funds from this change went to. 


9 Q. And did you determine where the change -- where is the 


12:47 10 change address in this page, number 6? 
11 A. So the change address in this page is -—- so the change 
12 address from the previous transaction in this one is 1JMCC. 
13 Q. Where did 1JMCC send the change? 


14 A. So it sent the funds to BitPay, the 1KwN address. 


15 Q. So if BitPay received the change, were you able to 


16 determine what address or transaction BitPay got that change 


Ly for? 


19 : where did you find that? 


12:47 20 : [ found that address listed here in the block explorer, 


21 but that was also one of the addresses that was given to me by 
22 the investigators. 


23 O%. Let's go to Exhibit 182 in evidence. 


24 Do you see the column C there? 


25 


12:48 10 


12:48 20 


21 


22 


23 


24 


25 
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Can you read the first few letters of the address? 


That is l1KwN. 


Is that the address that got the change from the Neumann 


transaction? 


A. 


Q. 


Tt 2S: 


And do Bitpay's records tell you what was purchased with 


the Bitcoin that went there? 


A. 


They do. 
Well, for starters, for what company was the payment made? 


The payment was made on behalf of Namecheap. 


It was another Namecheap transaction? 
Correct. 
And what was the date of the Namecheap transaction? 


That was October 29, 2018. 


And directing you to column P, what was the account 


associated with the Namecheap purchase? 


A. 


Q. 


That account is kavin.sspender@mail.com. 


So we have the change from Andrea Neumann making a 


purchase related to Kavin Spender's domain; is that right? 


A. 


Q. 


A. 


Q. 


That's correct. 


Let's go to page 7 of your illustration. 


And what's in the red box there? 


That email address, kavin.sspender@mail.com. 


And which of the name -—- which of the Namecheap 


transactions that you were asked to look at is Kavin Spender, 
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1 or 3? 


2 : Number 2. 


3 Q. So in plain English, at this point of your analysis, what 


4 has your analysis shown? 


5 A. So I've shown that funds were used to purchase domains 


6 under account neumann@dr.com, and the change, the remainder 


7 the funds, were then used to purchase accounts at 


8 kavin.sspender@mail.com. 
9 Q. And how does that get at the question you're trying to 


12:49 10 answer? 


‘lal A. So I'm trying to see if there's a relationship between 


12 these two accounts and these two Bitcoin payments. 


£ 


13 Q. And what did you conclude so far? 


14 A. So I concluded that the change, the remainder of funds, 


15 was used to spend and to purchase the second series of domains. 
16 QO. And what does that tell you about the people or persons 


A} who did the second purchase? 


18 A. That tells me there's a relationship between the two. 


19 Q. Looking at page 8 of your illustration, where do we pick 
12:49 20 up now? 


21 A. Now we pick up at the change address of this particular 


22 transaction. 


23 Q. And when you say "this particular transaction," this is 


24 the change from what transaction? 


25 A. The transaction under account kavin.sspender@mail.com f 
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A domains under Namecheap. 


2 Q. And on your illustration here at page 8, what is the 


3 change address, first few characters? 


4 : First few characters are 1DNG. 


5 : And what was the date of the change transaction? 
6 : Same date, October 29, 2018. 
. : Same date as what? 


om 


8 : Same date as the sending of the funds. 


9 : So let's go to page 9 of your illustration for a bit of 
12:50 10 recap. 
Li There's a bit more here, but start with wallet 2 for 


12 us, up in the left-hand corner. 


13 A. Wallet 2 is the change that came back from the initial 

14 purchase. 

15 Q. Andrew Neumann? 

16 A. Correct. Those funds then went to BitPay, and the change, 
17 so the remainder of those funds, went into another address 


18 listed as wallet number 3. 


19 Oz So the diagonal line is the payment to Bitpay for the 
12:51 20 second account? 
21 A. Correct. 
22 Q.. And the vertical line going down to wallet number 3 is the 


23 change, right? 


24 A. It's the change. 


25 Q. What was your next step? 
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1 A. Same pattern, follow the change to see where that was 
2 spend. 


3 Q. Is that shown on page 10 of your illustration? 


4 A. LE VS 

5 Q. And where did the change go from the purchase of the Kavin 
6 Spender domain? 

i : So the change went into address 17zQ. 

8 ‘ And is that in the blue box on the right? 


9 . Tt 2S". 


12:51 10 : When did that happen? 


‘lal ; That happened on November 22, 2018. 


12 ‘ At what time? Does the blockchain explorer tell you what 
13 the transaction was? 


14 : Yes, at 4:03:34 a.m. 


15 ¢ So at page 11 of your illustration, can we add this to the 


Ly P We can. 


18 2 And what do we have here in wallet 3? 


19 : We have the change from the kavin.sspender@mail.com going 


12:51 20 wallet number 3. 


21 ‘ Can we add page 12 of your illustration? 
22 ‘ We can. 
23 : What's new here? 


24 : So we see the funds that came from that change now go into 


25 a new recipient of 172zQ. 
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al. : that's wallet 4? 


2 : that's listed as wallet 4. 


3 Q. So how does the money in wallet 4 relate to the Kavin 


4 Spender Namecheap transaction, that second transaction you 


5 testified about? 


6 A. So the change from that Kavin Spender account went into 
7 wallet 4. 
8 Q. And at page 13 of your illustration -- just a few more 


9 pages -—- what did you do next? 


12:52 10 ‘ I just wanted to see where those funds went to. 


11 ; The funds related to the Kavin Spender purchase? 
12 ; Correct. 


13 : And where did it go? 


14 : Those funds went into BitPay. 


15 : And when did it go into BitPay? 


16 : Two hours later, at -- 11/22/2018 at 06:43. 


17 MR. KOSTO: So if we can go back one slide -- two 


18 slides —-- sorry, Ms. Lewis, three slides. 


19 F The time that it arrived was what? 


12:53 20 ; Approximately two hours later. 


21 : So 4:34 a.m. it arrives? 


22 : It arrives in this new address at 4:35 -—- or 4:34. 


23 F And then when does it leave? 


24 : And then it leaves at approximately 6:43. 


25 : And you mentioned that payment went where? 
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1 A. That payment went to BitPay. 


2 O.. And were you able to determine if for a particular 


3 account? 


4 A. [ was. 


5 Ow Let's go back to Exhibit 181 in evidence. 


6 Do you recognize row 3, column C? 


7 F I do. 


8 : What is that? 


9 . That is the public Bitpay address. 
12:53 10 : That's the BitPay cash register? 
11 : Correct. 
12 : And does the record at 182 show you what account was paid 
13 for using that address? 


14 A. It does. 


is) QO. And looking at column Q, what was -—- well, what was the 


16 vendor related to this transaction? 


Ay A. The vendor was Namecheap. 


18 Q. That's where we started with all this, right, back at 


19 Andrea Neumann? 
12:53 20 : That's correct. 
21 : And we're back at Namecheap again? 


22 : We're back at Namecheap. 


23 : And what was the account for this Namecheap purchase? 
24 : The account holder was wan-connie909@inbox.1lv. 


25 : Let me take to you forward to page 14 of your 
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1 illustration. 


2 Do you recognize this from the beginning of 
3 illustration? 


4 A. I do. 


5 O- So where are we in your analysis now? You started us with 


6 a Namecheap purchase for Andrea Neumann. Where have we gotten? 


7 A. We've gotten to the Namecheap domain number 3, so the far 


8 left column -- sorry, far right column. 


9 Q. And how did we get from 1 to 3? 


12:54 10 A. We got there because, one, we saw that account under 
11 neumann@dr.com, the funds were used to purchase that account, 
12 and then the change went to the next account, and that was used 


13 to purchase funds under kavin.sspender@mail.com. And then, 


14 shortly after, the recipient of funds used to purchase accounts 


15 under wan-connie909@inbox.lv. 


16 Q. And what do you conclude from that data about those three 


Ly accounts? 


18 A. So I can conclude that there's a relationship between all 


19 three of these different accounts. 


12:55 20 Q. Why would you say that? 


21 A. Based off of the payment history and based off of the 


22 payment patterns. 


23 Q. So what is page 15 of your illustration showing? 


24 A. So this shows the conclusion of this pattern. 


25 Q. Take us back to wallet 4. 


12:55 10 
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What's been added since we last saw your illustration? 


A. So wallet 4 is the recipient that received those change 


funds, and wallet 4 paid into BitPay. 


Q. I lation to which account? 


A. I lation to the wan-connie909@inbox.1lv account. 


Q. And you said something about the pattern being the reason 


for that conclusion. Why do you say "pattern"? 


A. Because what we can see is that this followed the same 
pattern of the change moved from one account to another account 
to another account. And the last hop that was made between 3 


and 4, that address listed at number 4, that had never been 


used before. So that means that the owner of funds in number 3 


£ 


had to have known the owner of funds in number 4 to receive 


that address and then send the funds across and finally 


purchase the last Bitpay account. 


Q. Back at the beginning of our testimony, you told me that 


12:56 20 


21 


22 


23 


24 


25 


I'd need to know your address to be able to send you Bitcoin, 
right? 


A. Correct. 


Q. There's no place I can go up and look for your address? 


A. If funds have never been sent to an address, it's not 


publicly on the blockchain. You have to receive it from 


someone. 


Q. So the last page of your illustration, page 16. Do you 


see at the bottom there are two rows, "View IPs" and "Remote 


